Skip to content

fix(client): reject non-http custom cluster URL schemes#4741

Open
blackflytech wants to merge 2 commits into
otter-sec:masterfrom
blackflytech:master
Open

fix(client): reject non-http custom cluster URL schemes#4741
blackflytech wants to merge 2 commits into
otter-sec:masterfrom
blackflytech:master

Conversation

@blackflytech

Copy link
Copy Markdown

Summary

Cluster::from_str previously accepted any custom URL whose input started with http, which allowed non-HTTP(S) schemes such as httpx://... to be parsed as custom RPC URLs and converted into websocket URLs.

This change tightens the custom cluster URL check to only accept http:// and https:// prefixes. The comparison uses the lowercased input, so valid uppercase schemes like HTTPS://... continue to work.

Regression tests cover both rejecting a non-HTTP scheme with an http prefix and accepting an uppercase HTTPS scheme.

Branch Target

If this contains breaking changes, it should target the anchor-next branch.

Signed-off-by: blackflytech <blackflytech@outlook.com>
@vercel

vercel Bot commented Jun 30, 2026

Copy link
Copy Markdown

@blackflytech is attempting to deploy a commit to the OtterSec Team on Vercel.

A member of the Team first needs to authorize it.

0x4ka5h
0x4ka5h previously approved these changes Jun 30, 2026
Comment thread client/src/cluster.rs
Signed-off-by: blackflytech <blackflytech@outlook.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants