Disable following redirects when checking peer urls #16986

jmhbnz · 2023-11-20T21:27:44Z

It's possible that etcd server may run into a server side request forgery situation when adding a new member. If users provide a malicious peer URL, the existing etcd members may be redirected to other unexpected internal URL when getting the new member's version.

One component of #16969

It's possible that etcd server may run into SSRF situation when adding a new member. If users provide a malicious peer URL, the existing etcd members may be redirected to other unexpected internal URL when getting the new member's version. Signed-off-by: James Blair <mail@jamesblair.net>

ahrtr

lgtm

Thanks

fuweid

LGTM

jmhbnz requested a review from ahrtr November 20, 2023 21:27

serathius approved these changes Nov 21, 2023

View reviewed changes

ahrtr approved these changes Nov 21, 2023

View reviewed changes

fuweid approved these changes Nov 21, 2023

View reviewed changes

ahrtr merged commit 7c0a09b into etcd-io:main Nov 21, 2023
33 checks passed

jmhbnz added the backport/v3.5 label Nov 27, 2023

jmhbnz mentioned this pull request Nov 27, 2023

[3.5] Backport disable following redirects when checking peer urls #17024

Merged

sharathsivakumar mentioned this pull request Nov 27, 2023

changelog: Update changelog for 3.5.11 to include url redirect fix #17027

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Disable following redirects when checking peer urls #16986

Disable following redirects when checking peer urls #16986

jmhbnz commented Nov 20, 2023

ahrtr left a comment

fuweid left a comment

Disable following redirects when checking peer urls #16986

Disable following redirects when checking peer urls #16986

Conversation

jmhbnz commented Nov 20, 2023

ahrtr left a comment

Choose a reason for hiding this comment

fuweid left a comment

Choose a reason for hiding this comment