vrr/openclaw
2
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-15 16:46:30 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 21
openclaw/src
History
Andrew Demczuk bffb83acf8
fix(gateway): stop SSRF guard rejecting operator-configured proxy hostnames (#62312) 
When allowPrivateProxy is true, the explicit proxy hostname is operator-
configured and trusted. The SSRF guard was checking the proxy hostname
against the target-scoped hostnameAllowlist (e.g. ["api.telegram.org"]),
which rejected localhost and other local proxy hostnames. This broke
Telegram media downloads (and any channel using a local proxy) after
the url-fetch security hardening in 2026.4.x.

Clear the hostnameAllowlist for the proxy hostname check while keeping
private-network IP validation in place via allowPrivateNetwork.

Fixes #61906

Co-authored-by: Devin Robison <drobison00@users.noreply.github.com>
2026-04-07 13:22:21 -06:00
..
acp refactor: dedupe acp lowercase helpers 2026-04-07 15:53:50 +01:00
agents feat: add cover image support to Discord event create (#60883) 2026-04-07 13:40:39 -05:00
auto-reply Refactor: centralize native approval lifecycle assembly (#62135) 2026-04-07 14:40:26 -04:00
bindings
bootstrap
canvas-host refactor: dedupe remaining lowercase helpers 2026-04-07 15:12:32 +01:00
channels Refactor: centralize native approval lifecycle assembly (#62135) 2026-04-07 14:40:26 -04:00
chat
cli feat: add cover image support to Discord event create (#60883) 2026-04-07 13:40:39 -05:00
commands test: speed up provider auth onboarding test 2026-04-07 17:36:41 +01:00
compat
config fix(test): refresh schema snapshot and stabilize channel registry 2026-04-07 20:04:29 +01:00
context-engine feat: expose prompt-cache runtime context to context engines (#62179) 2026-04-07 09:29:57 -07:00
cron Tests: tighten cron timeout start handshakes 2026-04-08 01:20:00 +08:00
daemon refactor: dedupe core lowercase helpers 2026-04-07 15:12:32 +01:00
docs
flows
gateway fix(browser): align browser.proxy profile mutation guards (#60489) 2026-04-07 13:00:21 -06:00
hooks
i18n
image-generation refactor: dedupe lowercase helper readers 2026-04-07 15:12:32 +01:00
infra fix(gateway): stop SSRF guard rejecting operator-configured proxy hostnames (#62312) 2026-04-07 13:22:21 -06:00
interactive refactor: dedupe reply lowercase helpers 2026-04-07 10:37:39 +01:00
link-understanding
logging refactor: dedupe shared normalizer readers 2026-04-07 08:40:35 +01:00
markdown
mcp refactor: dedupe shared string aliases 2026-04-07 09:44:53 +01:00
media refactor: dedupe media and discord lowercase helpers 2026-04-07 13:44:41 +01:00
media-generation fix(test): restore support shard boundaries 2026-04-07 08:59:23 +01:00
media-understanding refactor: dedupe core lowercase helpers 2026-04-07 15:12:32 +01:00
memory-host-sdk refactor: dedupe extension lowercase helpers 2026-04-07 15:12:32 +01:00
music-generation refactor: dedupe lowercase helper readers 2026-04-07 15:12:32 +01:00
node-host refactor: dedupe daemon lowercase helpers 2026-04-07 13:44:42 +01:00
pairing refactor: dedupe infra lowercase helpers 2026-04-07 13:01:23 +01:00
plugin-sdk Refactor: centralize native approval lifecycle assembly (#62135) 2026-04-07 14:40:26 -04:00
plugins test: speed up plugin cli tests 2026-04-07 19:59:46 +01:00
process refactor: dedupe path lowercase helpers 2026-04-07 15:53:50 +01:00
realtime-transcription refactor: dedupe provider registry normalizers 2026-04-07 10:37:38 +01:00
realtime-voice refactor: dedupe provider registry normalizers 2026-04-07 10:37:38 +01:00
routing refactor: dedupe routing lowercase helpers 2026-04-07 11:18:18 +01:00
scripts test: stabilize scoped runners and qa ports 2026-04-07 15:28:46 +01:00
secrets refactor: dedupe lowercase helper readers 2026-04-07 15:12:32 +01:00
security refactor: dedupe extension lowercase helpers 2026-04-07 15:12:32 +01:00
sessions fix: restore ci type compatibility 2026-04-07 13:44:42 +01:00
shared refactor: dedupe infra lowercase helpers 2026-04-07 13:01:23 +01:00
tasks Tests: fix provider artifact typing 2026-04-07 10:07:06 +01:00
terminal refactor: dedupe infra lowercase helpers 2026-04-07 15:53:50 +01:00
test-helpers refactor: dedupe extension lowercase helpers 2026-04-07 15:12:32 +01:00
test-utils
tts refactor: dedupe core lowercase helpers 2026-04-07 15:12:32 +01:00
tui refactor: dedupe plugin lowercase helpers 2026-04-07 15:53:50 +01:00
types
utils refactor: dedupe provider lowercase helpers 2026-04-07 15:53:50 +01:00
video-generation refactor: dedupe lowercase helper readers 2026-04-07 15:12:32 +01:00
web
web-fetch fix(build): drop duplicate web fetch helper 2026-04-07 13:34:20 +01:00
web-search refactor: dedupe core lowercase helpers 2026-04-07 15:12:32 +01:00
wizard
browser-lifecycle-cleanup.test.ts
browser-lifecycle-cleanup.ts
channel-web.ts
docker-build-cache.test.ts
docker-image-digests.test.ts
docker-setup.e2e.test.ts
dockerfile.test.ts fix: make qa lab docker boot resilient 2026-04-07 09:04:18 +01:00
entry.respawn.test.ts
entry.respawn.ts
entry.test.ts
entry.ts
entry.version-fast-path.test.ts
extensionAPI.ts
global-state.ts
globals.ts
index.test.ts
index.ts
install-sh-version.test.ts
library.test.ts
library.ts
logger.test.ts
logger.ts
logging.ts
param-key.ts
plugin-activation-boundary.test.ts
poll-params.test.ts
poll-params.ts refactor: dedupe daemon lowercase helpers 2026-04-07 13:44:42 +01:00
polls.test.ts
polls.ts
runtime.ts
ui-app-settings.agents-files-refresh.test.ts
utils.test.ts feat: Add first-class infer CLI for inference workflows (#62129) 2026-04-07 07:11:19 -05:00
utils.ts feat: Add first-class infer CLI for inference workflows (#62129) 2026-04-07 07:11:19 -05:00
version.test.ts
version.ts refactor: dedupe helper trim readers 2026-04-07 08:40:34 +01:00