The problem/use-case that the feature addresses By making an alias to quit from host: a misdirected web client can't be used to execute commands on a redis daemon.

Server-Side Request Forgery may allow a client agent on a VPC or shared network segment as a redis server to send commands to a redis daemon(http://benmmurphy.github.io/blog/2015/06/04/redis-eval-lua-sandbox-escape/).

A description of the problem that the feature will solve, or the use-case with which the feature will be used. The 2nd header on an HTTP request will be Host: if we create an alias for the command host:it will always quit and close the connection before it can get to the POST body which contains the command payload.

Description of the feature Security mitigation against SSRF and Cross-Protocol abuseses used by hackers.

A description of what you want to happen. Close the connection when any web client making a fetch() or POST request sends it to Redis - redis will flat our refuse and close the connection to any HTTP clients.

Alternatives you've considered By not patching it, applications that use reids are more susceptible to attack.

Any alternative solutions or features you've considered, including references to existing open and closed feature requests in this repository. Another HTTP header could be used, but host is the best one imho.

Additional information Security is good!

Any additional information that is relevant to the feature request.

Comment From: oranagra

@TheRook as far as i know we already have exactly that, see a81a92ca2ceba364f4bb51efde9284d939e7ff47 in Redis 7.0 it was change so that it's not a real command (won't show in command introspection), but the behavior protection should be the same. Am i missing anything?

Comment From: TheRook

Oh quit is no more? Well.. throwing an error that closes the connection would also be suitable - 'error HTTP client detected'

On Sun, Jul 17, 2022, 1:55 PM Oran Agra @.***> wrote:

@TheRook https://github.com/TheRook as far as i know we already have exactly that, see a81a92c https://github.com/redis/redis/commit/a81a92ca2ceba364f4bb51efde9284d939e7ff47 in Redis 7.0 it was change so that it's not a real command (won't show in command introspection), but the behavior protection should be the same. Am i missing anything?

— Reply to this email directly, view it on GitHub https://github.com/redis/redis/issues/10999#issuecomment-1186605426, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAD7MN2VYVZXDZJDR7VDY7DVURXKLANCNFSM532G3JSQ . You are receiving this because you were mentioned.Message ID: @.***>

Comment From: oranagra

actually, these "commands" (i.e. HOST: and PORT), added in Redis 3.2 or so, were never an alias to QUIT, they were just executing plain code to close the connection.

and actually QUIT, didn't used to be a command. and in redis 7.0, we promoted QUIT to be a proper command (supported for command introspection), and demoted HOST: and PORT, see #9798.

anyway, considering the problem is solved since redis 3.2, which is even indicated in the link you provided, i don't understand why you opened the ticket and if there is something to do now or it can be closed.