In #2243 a check was introduced on the bearer realm returned by remote registries. This rejects realm URls where the host is a localhost or private-range IP address.
We use go-containerregistry heavily in a project where the test suite uses an authenticated private registry it runs on 127.0.0.1 and #2243 prevents use of this with the error:
invalid realm in www-authenticate: realm host "127.0.0.1" is a private or link-local address
Would it be reasonable to:
- Be able to disable the realm check via an option?
- Always allow a localhost / 127.0.0.1 realm URL if the remote registry we are making requests against is running on 127.0.0.1?
It's not entirely clear to me, either, why #2243 appears to reject URLs with numeric local IP addresses, but not the localhost hostname?
CC @evilgensec for any thoughts?
In #2243 a check was introduced on the bearer realm returned by remote registries. This rejects realm URls where the host is a localhost or private-range IP address.
We use go-containerregistry heavily in a project where the test suite uses an authenticated private registry it runs on 127.0.0.1 and #2243 prevents use of this with the error:
Would it be reasonable to:
It's not entirely clear to me, either, why #2243 appears to reject URLs with numeric local IP addresses, but not the
localhosthostname?CC @evilgensec for any thoughts?