Wildcard URL checker has hardcoded protocol allow list

Since the following commit:

https://github.com/discourse/discourse/commit/d8360b4c82ca34a5c570a4af28b628f68fb23908#diff-cafbd2eee0eb3198218bc6b0ef1c0fa0R4

a hardcoded list of allowed protocols has been added, ignoring what we have configured in the administration UI:

https://github.com/discourse/discourse/blob/d8360b4c82ca34a5c570a4af28b628f68fb23908/app/services/wildcard_url_checker.rb#L4

… leading to any attempt to create a new user API key with fivem://accept-auth as redirect URI hitting a 403 without any information in /logs or on the end user’s screen.

5 Likes

Hi there,

Thanks for reporting this to us, we’ll get someone to look at it as soon as possible.

2 Likes

Thanks for reporting this, we are looking at a fix so we auto whitelist fivem if we notice it in the allowed_user_api_auth_redirects list.

4 Likes

I opened a PR here:

https://github.com/discourse/discourse/pull/8651

We check the entire URL (including protocol) against the site setting list, so I don’t think there is any need for a specific whitelist.

8 Likes

This is now merged. @blattersturm if you update to the latest version, the problem should be resolved.

7 Likes

This topic was automatically closed after 4 days. New replies are no longer allowed.