Use `hostmatcher` to replace `matchlist`, improve security (#17605)

Use hostmacher to replace matchlist.

And we introduce a better DialContext to do a full host/IP check, otherwise the attackers can still bypass the allow/block list by a 302 redirection.

1 files changed, 1 insertions, 2 deletions

diff --git a/options/locale/locale_en-US.ini b/options/locale/locale_en-US.ini
index 21e2bd1be4..624f1b4d1b 100644
--- a/options/locale/locale_en-US.ini
+++ b/options/locale/locale_en-US.ini
@@ -899,8 +899,7 @@ migrate.clone_address_desc = The HTTP(S) or Git 'clone' URL of an existing repos
 migrate.github_token_desc = You can put one or more tokens with comma separated here to make migrating faster because of Github API rate limit. WARN: Abusing this feature may violate the service provider's policy and lead to account blocking.
 migrate.clone_local_path = or a local server path
 migrate.permission_denied = You are not allowed to import local repositories.
-migrate.permission_denied_blocked = You are not allowed to import from blocked hosts.
-migrate.permission_denied_private_ip = You are not allowed to import from private IPs.
+migrate.permission_denied_blocked = You can not import from disallowed hosts, please ask the admin to check ALLOWED_DOMAINS/ALLOW_LOCALNETWORKS/BLOCKED_DOMAINS settings.
 migrate.invalid_local_path = "The local path is invalid. It does not exist or is not a directory."
 migrate.invalid_lfs_endpoint = The LFS endpoint is not valid.
 migrate.failed = Migration failed: %v