nyrn
/
openclaw
mirror of https://github.com/openclaw/openclaw.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
openclaw/docs
History
Gustavo Madeira Santana a13ff55bd9
Security: Prevent gateway credential exfiltration via URL override (#9179) 
* Gateway: require explicit auth for url overrides

* Gateway: scope credential blocking to non-local URLs only

Address review feedback: the previous fix blocked credential fallback for
ALL URL overrides, which was overly strict and could break workflows that
use --url to switch between loopback/tailnet without passing credentials.

Now credential fallback is only blocked for non-local URLs (public IPs,
external hostnames). Local addresses (127.0.0.1, localhost, private IPs
like 192.168.x.x, 10.x.x.x, tailnet 100.x.x.x) still get credential
fallback as before.

This maintains the security fix (preventing credential exfiltration to
attacker-controlled URLs) while preserving backward compatibility for
legitimate local URL overrides.

* Security: require explicit credentials for gateway url overrides (#8113) (thanks @victormier)

* Gateway: reuse explicit auth helper for url overrides (#8113) (thanks @victormier)

* Tests: format gateway chat test (#8113) (thanks @victormier)

* Tests: require explicit auth for gateway url overrides (#8113) (thanks @victormier)

---------

Co-authored-by: Victor Mier <victormier@gmail.com>
 		2026-02-04 18:59:44 -05:00
..
.i18n 🤖 docs: mirror landing revamp for zh-CN 2026-02-04 10:42:12 -08:00
assets Docs: landing page revamp (#8885) 2026-02-04 10:37:14 -05:00
automation fix: cron announce delivery path (#8540) (thanks @tyler6204) 2026-02-04 01:03:59 -08:00
channels docs: update Feishu plugin docs 2026-02-03 23:24:41 -08:00
cli Security: Prevent gateway credential exfiltration via URL override (#9179) 2026-02-04 18:59:44 -05:00
concepts feat: per-channel responsePrefix override (#9001) 2026-02-04 16:16:34 -05:00
debug Docs: add nav titles across docs (#5689) 2026-01-31 15:04:03 -06:00
diagnostics Docs: add nav titles across docs (#5689) 2026-01-31 15:04:03 -06:00
experiments Docs: add nav titles across docs (#5689) 2026-01-31 15:04:03 -06:00
gateway Security: Prevent gateway credential exfiltration via URL override (#9179) 2026-02-04 18:59:44 -05:00
help iMessage: promote BlueBubbles and refresh docs/skills (#8415) 2026-02-03 18:06:54 -08:00
hooks Docs: add nav titles across docs (#5689) 2026-01-31 15:04:03 -06:00
images Channels: finish Feishu/Lark integration 2026-02-03 14:27:39 -08:00
install feat: remove slop. 2026-02-03 22:04:17 +09:00
nodes fix: format issues and lint error in oauth.ts 2026-02-02 01:59:42 +01:00
platforms fix: harden voice-call webhook verification 2026-02-03 23:47:27 -08:00
plugins fix: harden voice-call webhook verification 2026-02-03 23:47:27 -08:00
providers feat: add cloudflare ai gateway provider 2026-02-04 04:10:13 -08:00
refactor Docs: add nav titles across docs (#5689) 2026-01-31 15:04:03 -06:00
reference Docs: landing page revamp (#8885) 2026-02-04 10:37:14 -05:00
security chore: Run `pnpm format:fix`. 2026-01-31 21:13:13 +09:00
start 🤖 docs: mirror landing revamp for zh-CN 2026-02-04 10:42:12 -08:00
tools Security: Prevent gateway credential exfiltration via URL override (#9179) 2026-02-04 18:59:44 -05:00
web Security: Prevent gateway credential exfiltration via URL override (#9179) 2026-02-04 18:59:44 -05:00
zh-CN 🤖 docs: mirror landing revamp for zh-CN 2026-02-04 10:42:12 -08:00
CNAME refactor: rename to openclaw 2026-01-30 03:16:21 +01:00
bedrock.md Docs: add nav titles across docs (#5689) 2026-01-31 15:04:03 -06:00
brave-search.md Docs: add nav titles across docs (#5689) 2026-01-31 15:04:03 -06:00
broadcast-groups.md Docs: add nav titles across docs (#5689) 2026-01-31 15:04:03 -06:00
custom.css Docs: landing page revamp (#8885) 2026-02-04 10:37:14 -05:00
date-time.md Docs: add nav titles across docs (#5689) 2026-01-31 15:04:03 -06:00
debugging.md Docs: add nav titles across docs (#5689) 2026-01-31 15:04:03 -06:00
docs.json Docs: landing page revamp (#8885) 2026-02-04 10:37:14 -05:00
environment.md Docs: add nav titles across docs (#5689) 2026-01-31 15:04:03 -06:00
hooks.md Docs: add nav titles across docs (#5689) 2026-01-31 15:04:03 -06:00
index.md Docs: landing page revamp (#8885) 2026-02-04 10:37:14 -05:00
logging.md Docs: add nav titles across docs (#5689) 2026-01-31 15:04:03 -06:00
multi-agent-sandbox-tools.md chore: Run `pnpm format:fix`. 2026-01-31 21:13:13 +09:00
network.md Docs: add nav titles across docs (#5689) 2026-01-31 15:04:03 -06:00
northflank.mdx chore: Run `pnpm format:fix`. 2026-01-31 21:13:13 +09:00
perplexity.md Docs: add nav titles across docs (#5689) 2026-01-31 15:04:03 -06:00
pi-dev.md Docs: add nav titles across docs (#5689) 2026-01-31 15:04:03 -06:00
pi.md fix: align pi-coding-agent typings and docs 2026-02-01 16:08:01 -08:00
plugin.md Docs: add nav titles across docs (#5689) 2026-01-31 15:04:03 -06:00
prose.md Docs: add nav titles across docs (#5689) 2026-01-31 15:04:03 -06:00
railway.mdx chore: Run `pnpm format:fix`. 2026-01-31 21:13:13 +09:00
render.mdx chore: Run `pnpm format:fix`. 2026-01-31 21:13:13 +09:00
scripts.md chore: clean up git hooks and actually install them again. 2026-02-03 22:08:24 +09:00
testing.md chore: Add `pnpm check` for fast repo checks. 2026-02-02 11:16:13 +09:00
token-use.md docs: document cacheRetention parameter (#6270) 2026-02-01 09:16:37 -05:00
tts.md Docs: add nav titles across docs (#5689) 2026-01-31 15:04:03 -06:00
tui.md Security: Prevent gateway credential exfiltration via URL override (#9179) 2026-02-04 18:59:44 -05:00
vps.md Docs: add nav titles across docs (#5689) 2026-01-31 15:04:03 -06:00
whatsapp-openclaw-ai-zh.jpg Docs: add zh-CN landing notice + AI image 2026-02-02 18:35:01 +01:00
whatsapp-openclaw.jpg refactor: rename to openclaw 2026-01-30 03:16:21 +01:00