Commit 71aafde
committed
fix: use exact match for loopback hosts in issuer URL validation
validate_issuer_url() used startswith("127.0.0.1") to exempt loopback
addresses from the HTTPS requirement. This prefix match incorrectly
allowed non-loopback hostnames like 127.0.0.1.evil.com or
127.0.0.1something.example.com to bypass the HTTPS check.
Replace with an exact match against the set of loopback hosts
(localhost, 127.0.0.1, [::1]), consistent with the DNS rebinding
protection elsewhere in the codebase. This also adds the missing
IPv6 loopback (::1) exemption.
Remove pragma: no cover from validation branches now that they
have dedicated test coverage.1 parent b9431d4 commit 71aafde
File tree
2 files changed
+52
-9
lines changed- src/mcp/server/auth
- tests/server/auth
2 files changed
+52
-9
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
31 | 31 | | |
32 | 32 | | |
33 | 33 | | |
34 | | - | |
35 | | - | |
36 | | - | |
37 | | - | |
38 | | - | |
39 | | - | |
40 | | - | |
| 34 | + | |
| 35 | + | |
| 36 | + | |
41 | 37 | | |
42 | 38 | | |
43 | 39 | | |
44 | | - | |
| 40 | + | |
45 | 41 | | |
46 | | - | |
| 42 | + | |
47 | 43 | | |
48 | 44 | | |
49 | 45 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
| 1 | + | |
| 2 | + | |
| 3 | + | |
| 4 | + | |
| 5 | + | |
| 6 | + | |
| 7 | + | |
| 8 | + | |
| 9 | + | |
| 10 | + | |
| 11 | + | |
| 12 | + | |
| 13 | + | |
| 14 | + | |
| 15 | + | |
| 16 | + | |
| 17 | + | |
| 18 | + | |
| 19 | + | |
| 20 | + | |
| 21 | + | |
| 22 | + | |
| 23 | + | |
| 24 | + | |
| 25 | + | |
| 26 | + | |
| 27 | + | |
| 28 | + | |
| 29 | + | |
| 30 | + | |
| 31 | + | |
| 32 | + | |
| 33 | + | |
| 34 | + | |
| 35 | + | |
| 36 | + | |
| 37 | + | |
| 38 | + | |
| 39 | + | |
| 40 | + | |
| 41 | + | |
| 42 | + | |
| 43 | + | |
| 44 | + | |
| 45 | + | |
| 46 | + | |
| 47 | + | |
0 commit comments