From 013fb73068281b45b33c72abaae0c42c8d79c499 Mon Sep 17 00:00:00 2001
From: wxiaoguang <wxiaoguang@gmail.com>
Date: Sat, 20 Nov 2021 17:34:05 +0800
Subject: Use `hostmatcher` to replace `matchlist`, improve security (#17605)

Use hostmacher to replace matchlist.

And we introduce a better DialContext to do a full host/IP check, otherwise the attackers can still bypass the allow/block list by a 302 redirection.
---
 custom/conf/app.example.ini | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'custom/conf')

diff --git a/custom/conf/app.example.ini b/custom/conf/app.example.ini
index 16977f609b..066e7e2cda 100644
--- a/custom/conf/app.example.ini
+++ b/custom/conf/app.example.ini
@@ -2114,7 +2114,7 @@ PATH =
 ;ALLOWED_DOMAINS =
 ;;
 ;; Blocklist for migrating, default is blank. Multiple domains could be separated by commas.
-;; When ALLOWED_DOMAINS is not blank, this option will be ignored.
+;; When ALLOWED_DOMAINS is not blank, this option has a higher priority to deny domains.
 ;BLOCKED_DOMAINS =
 ;;
 ;; Allow private addresses defined by RFC 1918, RFC 1122, RFC 4632 and RFC 4291 (false by default)
-- 
cgit v1.2.3