Headline
CVE-2023-22493: feat(config)!: unsafe domain toggle (#11588) · DIYgod/RSSHub@a66cbcf
RSSHub is an open source RSS feed generator. RSSHub is vulnerable to Server-Side Request Forgery (SSRF) attacks. This vulnerability allows an attacker to send arbitrary HTTP requests from the server to other servers or resources on the network. An attacker can exploit this vulnerability by sending a request to the affected routes with a malicious URL. An attacker could also use this vulnerability to send requests to internal or any other servers or resources on the network, potentially gain access to sensitive information that would not normally be accessible and amplifying the impact of the attack. The patch for this issue can be found in commit a66cbcf.
@@ -564,14 +564,16 @@ It is also valid to contain route parameters, e.g. `/weibo/user/2612249974`.
::: tip Experimental features
Configs in this sections are in beta stage, and are turn off by default. Please read corresponded description and turn on if necessary.
Configs in this sections are in beta stage, and **are turn off by default**. Please read corresponded description and turn on if necessary.
:::
`ALLOW_USER_HOTLINK_TEMPLATE`: [Parameters->Multimedia processing](/en/parameter.html#multimedia-processing)
`FILTER_REGEX_ENGINE`: Define Regex engine used in [Parameters->filtering](/en/parameter.html#filtering). Valid value are `[re2, regexp]`. Default value is `re2`. We suggest public instance should leave this value to default, and this option right now is mainly for backward compatibility.
`ALLOW_USER_SUPPLY_UNSAFE_DOMAIN`: allow users to provide a domain as a parameter to routes that are not in their allow list, respectively. Public instances are suggested to leave this value default, as it may lead to [Server-Side Request Forgery (SSRF)](https://owasp.org/www-community/attacks/Server_Side_Request_Forgery)
Other Application Configurations
`DISALLOW_ROBOT`: prevent indexing by search engine, default to enable, set false or 0 to disable