nyrn
/
openclaw
mirror of https://github.com/openclaw/openclaw.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
openclaw/docs/tools
History
Gustavo Madeira Santana a13ff55bd9
Security: Prevent gateway credential exfiltration via URL override (#9179) 
* Gateway: require explicit auth for url overrides

* Gateway: scope credential blocking to non-local URLs only

Address review feedback: the previous fix blocked credential fallback for
ALL URL overrides, which was overly strict and could break workflows that
use --url to switch between loopback/tailnet without passing credentials.

Now credential fallback is only blocked for non-local URLs (public IPs,
external hostnames). Local addresses (127.0.0.1, localhost, private IPs
like 192.168.x.x, 10.x.x.x, tailnet 100.x.x.x) still get credential
fallback as before.

This maintains the security fix (preventing credential exfiltration to
attacker-controlled URLs) while preserving backward compatibility for
legitimate local URL overrides.

* Security: require explicit credentials for gateway url overrides (#8113) (thanks @victormier)

* Gateway: reuse explicit auth helper for url overrides (#8113) (thanks @victormier)

* Tests: format gateway chat test (#8113) (thanks @victormier)

* Tests: require explicit auth for gateway url overrides (#8113) (thanks @victormier)

---------

Co-authored-by: Victor Mier <victormier@gmail.com>
 		2026-02-04 18:59:44 -05:00
..
agent-send.md Docs: add nav titles across docs (#5689) 2026-01-31 15:04:03 -06:00
apply-patch.md Docs: add nav titles across docs (#5689) 2026-01-31 15:04:03 -06:00
browser-linux-troubleshooting.md Docs: add nav titles across docs (#5689) 2026-01-31 15:04:03 -06:00
browser-login.md Docs: add nav titles across docs (#5689) 2026-01-31 15:04:03 -06:00
browser.md docs: clarify docker power-user setup 2026-02-02 02:07:08 -08:00
chrome-extension.md fix: secure chrome extension relay cdp 2026-02-01 02:25:14 -08:00
clawhub.md Docs: expand ClawHub overview 2026-02-02 02:26:11 -08:00
creating-skills.md Docs: add nav titles across docs (#5689) 2026-01-31 15:04:03 -06:00
elevated.md Docs: add nav titles across docs (#5689) 2026-01-31 15:04:03 -06:00
exec-approvals.md fix: harden exec allowlist parsing 2026-02-02 16:53:15 -08:00
exec.md fix: harden host exec env validation (#4896) (thanks @HassanFleyah) 2026-02-01 15:37:19 -08:00
firecrawl.md Docs: add nav titles across docs (#5689) 2026-01-31 15:04:03 -06:00
index.md Security: Prevent gateway credential exfiltration via URL override (#9179) 2026-02-04 18:59:44 -05:00
llm-task.md Docs: add nav titles across docs (#5689) 2026-01-31 15:04:03 -06:00
lobster.md chore: Run `pnpm format:fix`. 2026-01-31 21:13:13 +09:00
reactions.md Docs: add nav titles across docs (#5689) 2026-01-31 15:04:03 -06:00
skills-config.md Docs: add nav titles across docs (#5689) 2026-01-31 15:04:03 -06:00
skills.md Docs: Fix typo in docs/tools/skills.md (#3050) 2026-02-01 10:05:46 -05:00
slash-commands.md Revert "iOS: wire node services and tests" 2026-02-02 17:36:49 +00:00
subagents.md feat(config): default thinking for sessions_spawn subagents (#7372) 2026-02-02 12:14:17 -08:00
thinking.md Docs: add nav titles across docs (#5689) 2026-01-31 15:04:03 -06:00
web.md feat: add configurable web_fetch maxChars cap 2026-02-03 18:03:53 -08:00