Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.
Sign upAdd address check inside OPENSOCKET callback #2
Comments
JordanMilne
added a commit
to JordanMilne/safeurl-python
that referenced
this issue
Oct 26, 2016
Fixes IncludeSecurity#2. Instead of rewriting the hostname to be the IP address, instead we look at the resolved IP just before cURL opens the socket. This is fine since cURL's connection pools are per-handle so we don't have to worry about keep-alive and other handles' connections. This negates the need for DNS pinning, so enabling DNS pinning is now effectively a no-op.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
pycurl has a hook that can run whenever a socket is opened, with one of the parameters being the resolved IP of the address to connect to (at least according to this unit test.)
If you check the address passed into the callback against the IP whitelist / blacklist you should be able to get rid of the manual DNS pinning, resolving your problems with the
CNvalidation failing with HTTPS.Unfortunately this callback isn't exposed in PHP so it can't be used in
safeurl-php.