HTTP requests invoked by an external user should fail if resolving to non-public IP address
There are currently two cases where a user can invoke HTTP requests to arbitrary URLs. This can be a security risk, if there are endpoints that divulge sensitive information in HTML page titles, or in images, on the local network.
The following functionality is affected:
Automatic title fetchingDownloading submission images
Symfony's HttpClient has a decorator that blocks these requests from version 5.1 onwards. We should use it.
Edited by Emma