Wildcard URL checker has hardcoded protocol allow list

blattersturm · December 31, 2019, 7:30am

Since the following commit:

https://github.com/discourse/discourse/commit/d8360b4c82ca34a5c570a4af28b628f68fb23908#diff-cafbd2eee0eb3198218bc6b0ef1c0fa0R4

a hardcoded list of allowed protocols has been added, ignoring what we have configured in the administration UI:

https://github.com/discourse/discourse/blob/d8360b4c82ca34a5c570a4af28b628f68fb23908/app/services/wildcard_url_checker.rb#L4

… leading to any attempt to create a new user API key with fivem://accept-auth as redirect URI hitting a 403 without any information in /logs or on the end user’s screen.

rishabh · December 31, 2019, 9:10am

Hi there,

Thanks for reporting this to us, we’ll get someone to look at it as soon as possible.

sam · January 2, 2020, 2:22am

Thanks for reporting this, we are looking at a fix so we auto whitelist fivem if we notice it in the allowed_user_api_auth_redirects list.

david · January 2, 2020, 11:51am

I opened a PR here:

https://github.com/discourse/discourse/pull/8651

We check the entire URL (including protocol) against the site setting list, so I don’t think there is any need for a specific whitelist.

david · January 2, 2020, 4:53pm

This is now merged. @blattersturm if you update to the latest version, the problem should be resolved.

david · January 6, 2020, 6:00pm

This topic was automatically closed after 4 days. New replies are no longer allowed.

Topic		Replies	Views
Custom Push Notifications: allowed user api push urls Dev	11	3775	April 18, 2019
When install html script facing issue? Support	9	1503	May 25, 2020
Go Daddy SSL certificate installation error in D.O. server Installation unsupported-install	9	1424	May 3, 2022
Adding command line tools support for user api keys Dev	23	3412	January 4, 2019
Unable to Test Discourse Connect on localhost SSO	1	1140	September 8, 2021

Wildcard URL checker has hardcoded protocol allow list

Related Topics