Fixed XF\Http\Reader should not allow .internal domains to be fetched from an untrusted context

[Xon]

Affected version

2.3.2

.INTERNAL is now reserved for private-use applications

XF\Http\Reader::isRequestableUntrustedUrlExtended should return false for domains which match .internal (maybe even internal), as this can be used for internal DNS resolution and should not be publicly available.

Similar logic probably should handle .example/.invalid/.test/.local/.localhost which are reserve top-level domains.

HCaptcha::isLocalDomain likely should be updated too.

 

[XF Bug Bot]

Thank you for reporting this issue, it has now been resolved. We are aiming to include any changes that have been made in a future XF release (2.3.3).

Change log:

Check private use TLDs when determining if a host is local

There may be a delay before changes are rolled out to the XenForo Community.