-
Notifications
You must be signed in to change notification settings - Fork 4.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
http: Relaxed sanitization of referer header to allow relative URLs. #25947
Conversation
/assign @yanavlasov |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/wait-any
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/wait
Thanks. Looks like format is not happy. I'm also getting a second maintainer opinion on the need for a runtime flag to be able to revert this behavior during the deprecation interval, since it is a user visible behavior change (even though the original behavior was incorrect). /wait |
2ff0984
to
5922fe7
Compare
@briansonnenberg Other maintainers agree that since this is a user visible change, it requires a runtime flag protection per policy. Please add this flag protection, here is an example: https://github.com/envoyproxy/envoy/pull/25060/files |
/wait-any |
4de4ffb
to
2bffdb0
Compare
…Tightened sanitization to reject URLs containing userinfo or fragment components Signed-off-by: Brian Sonnenberg <bsonnenberg@google.com>
Signed-off-by: Brian Sonnenberg <bsonnenberg@google.com>
Signed-off-by: Brian Sonnenberg <bsonnenberg@google.com>
Signed-off-by: Brian Sonnenberg <bsonnenberg@google.com>
Signed-off-by: Brian Sonnenberg <bsonnenberg@google.com>
Signed-off-by: Brian Sonnenberg <bsonnenberg@google.com>
Signed-off-by: Brian Sonnenberg <bsonnenberg@google.com>
Signed-off-by: Brian Sonnenberg <bsonnenberg@google.com>
Signed-off-by: Brian Sonnenberg <bsonnenberg@google.com>
Signed-off-by: Brian Sonnenberg <bsonnenberg@google.com>
Signed-off-by: Brian Sonnenberg <bsonnenberg@google.com>
8e90df4
to
b472bc3
Compare
Can anyone elaborate on these test failures? It seems like different, unrelated tests are failing each time. Rebasing fixed a number of them, as I noticed some commits related to flaky tests recently went in. |
@briansonnenberg Please don't force push as it erases the comment history. Some integration tests are flakey, and you can use "/retest" command to deflake them. Merging main can also help sometimes if someone fixed the flakes. |
/retest |
Retrying Azure Pipelines: |
Tightened sanitization to reject URLs containing userinfo or fragment components, as per RFC.
Commit Message:
Additional Description:
Risk Level: Low
Testing: Included
Docs Changes: Included
Release Notes: Included
Platform Specific Features: None
Fixes #25442