From 599ff1c054e436daa4dc3f049aa8661d9c2395f9 Mon Sep 17 00:00:00 2001
From: wxiaoguang <wxiaoguang@gmail.com>
Date: Mon, 1 Nov 2021 16:39:52 +0800
Subject: Only allow webhook to send requests to allowed hosts (#17482)

---
 custom/conf/app.example.ini | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'custom')

diff --git a/custom/conf/app.example.ini b/custom/conf/app.example.ini
index 1753ed2330..eadc1c0d96 100644
--- a/custom/conf/app.example.ini
+++ b/custom/conf/app.example.ini
@@ -1396,6 +1396,12 @@ PATH =
 ;; Deliver timeout in seconds
 ;DELIVER_TIMEOUT = 5
 ;;
+;; Webhook can only call allowed hosts for security reasons. Comma separated list, eg: external, 192.168.1.0/24, *.mydomain.com
+;; Built-in: loopback (for localhost), private (for LAN/intranet), external (for public hosts on internet), * (for all hosts)
+;; CIDR list: 1.2.3.0/8, 2001:db8::/32
+;; Wildcard hosts: *.mydomain.com, 192.168.100.*
+;ALLOWED_HOST_LIST = external
+;;
 ;; Allow insecure certification
 ;SKIP_TLS_VERIFY = false
 ;;
-- 
cgit v1.2.3