shopware/core: Missing IP validation in /api/_action/media/external-link endpoint
The `/api/_action/media/external-link` endpoint in Shopware's core allows authenticated admin users to make server-side HTTP HEAD requests to arbitrary internal
What changed
The `/api/_action/media/external-link` endpoint in Shopware's core allows authenticated admin users to make server-side HTTP HEAD requests to arbitrary internal IP addresses without proper IP validation, unlike the parallel `uploadFromURL` flow which uses `FileUrlValidator` to block private/reserved IP ranges.
Who it affects
Shopware instances with authenticated admin users, especially in multi-tenant or compromised-credential scenarios.
What to do today
Apply the recommended fix: add `FileUrlValidator` validation to the `linkURL` flow in `MediaUploadService` and consider setting `max_redirects: 0` on the HttpClient request.