Wildcard URL checker has hardcoded protocol allow list

blattersturm · 31 ديسمبر 2019، 7:30ص

Since the following commit:

https://github.com/discourse/discourse/commit/d8360b4c82ca34a5c570a4af28b628f68fb23908#diff-cafbd2eee0eb3198218bc6b0ef1c0fa0R4

a hardcoded list of allowed protocols has been added, ignoring what we have configured in the administration UI:

https://github.com/discourse/discourse/blob/d8360b4c82ca34a5c570a4af28b628f68fb23908/app/services/wildcard_url_checker.rb#L4

… leading to any attempt to create a new user API key with fivem://accept-auth as redirect URI hitting a 403 without any information in /logs or on the end user’s screen.

rishabh · 31 ديسمبر 2019، 9:10ص

Hi there,

Thanks for reporting this to us, we’ll get someone to look at it as soon as possible.

sam · 2 يناير 2020، 2:22ص

Thanks for reporting this, we are looking at a fix so we auto whitelist fivem if we notice it in the allowed_user_api_auth_redirects list.

david · 2 يناير 2020، 11:51ص

I opened a PR here:

https://github.com/discourse/discourse/pull/8651

We check the entire URL (including protocol) against the site setting list, so I don’t think there is any need for a specific whitelist.

david · 2 يناير 2020، 4:53م

This is now merged. @blattersturm if you update to the latest version, the problem should be resolved.

david · 6 يناير 2020، 6:00م

This topic was automatically closed after 4 days. New replies are no longer allowed.

الموضوع		الردود	مرات العرض
Support wildcard in "allowed user api auth redirects" setting Feature	0	637	15 ديسمبر 2018
Non-http(s) urls in posts not hyperlinking properly Support	20	2259	8 نوفمبر 2016
URL validation for "Web Site" on user profile Feature	5	1522	5 فبراير 2016
Links with protocol other than http? Support docker , markdown	5	1848	19 أكتوبر 2018
Show full website path on user profile regardless of domain UX	12	1704	11 أبريل 2016

Wildcard URL checker has hardcoded protocol allow list

الموضوعات ذات الصلة