Wildcard URL checker has hardcoded protocol allow list

blattersturm · December 31, 2019, 7:30am

Since the following commit:

https://github.com/discourse/discourse/commit/d8360b4c82ca34a5c570a4af28b628f68fb23908#diff-cafbd2eee0eb3198218bc6b0ef1c0fa0R4

a hardcoded list of allowed protocols has been added, ignoring what we have configured in the administration UI:

https://github.com/discourse/discourse/blob/d8360b4c82ca34a5c570a4af28b628f68fb23908/app/services/wildcard_url_checker.rb#L4

… leading to any attempt to create a new user API key with fivem://accept-auth as redirect URI hitting a 403 without any information in /logs or on the end user’s screen.

rishabh · December 31, 2019, 9:10am

Hi there,

Thanks for reporting this to us, we’ll get someone to look at it as soon as possible.

sam · January 2, 2020, 2:22am

Thanks for reporting this, we are looking at a fix so we auto whitelist fivem if we notice it in the allowed_user_api_auth_redirects list.

david · January 2, 2020, 11:51am

I opened a PR here:

https://github.com/discourse/discourse/pull/8651

We check the entire URL (including protocol) against the site setting list, so I don’t think there is any need for a specific whitelist.

david · January 2, 2020, 4:53pm

This is now merged. @blattersturm if you update to the latest version, the problem should be resolved.

david · January 6, 2020, 6:00pm

This topic was automatically closed after 4 days. New replies are no longer allowed.

Topic		Replies	Views
Bug? White listed spam host domains failing support	8	2121	April 1, 2016
Custom Push Notifications: allowed user api push urls dev	11	3612	April 18, 2019
Too many redirects after enabling https installation	8	2909	August 14, 2018
All API calls now getting "You are not permitted to view the requested resource" support	12	1700	April 12, 2020
When install html script facing issue? support	9	1322	May 25, 2020

Wildcard URL checker has hardcoded protocol allow list

Related Topics