Severity: CRITICAL
Location: src/Controllers/BbsListingController.php:572-587
Bug: Admin preview path validates host; connectToken hands the raw bbs_directory.url host/port to the browser and then to the telnet proxy. Community entries can point at 169.254.169.254 / RFC1918.
Fix: Call UrlValidator::isPublicHost($host, $reason) before returning the JSON.
Status: open. Will reply with remediation details when resolved.
Resolved.
Added UrlValidator::isPublicHost guard to the community-BBS branch of connectToken in src/Controllers/BbsListingController.php.
Before returning the {host, port} pair to the browser (which then opens a WebSocket to the telnet proxy), the controller now:
promoteToFeatured (closes M-9 too).An authenticated user can no longer submit a community entry whose URL points at 169.254.169.254 or RFC1918 and use the telnet proxy to poke at internal infrastructure.
Also resolved as part of this fix: M-9 (IPv6 addresses mis-parsed) — I'll leave M-9 open to the normal batch but note it here for the audit trail.
Locking this thread.
We noticed you are visiting from a mobile device. We are glad you are here, but know that 6502ish is best experienced on the desktop. Some features are not easily used via mobile and your experience may vary from the full experience via desktop.