Wildcard URL checker has hardcoded protocol allow list

blattersturm · 31. Dezember 2019 um 07:30

Since the following commit:

https://github.com/discourse/discourse/commit/d8360b4c82ca34a5c570a4af28b628f68fb23908#diff-cafbd2eee0eb3198218bc6b0ef1c0fa0R4

a hardcoded list of allowed protocols has been added, ignoring what we have configured in the administration UI:

https://github.com/discourse/discourse/blob/d8360b4c82ca34a5c570a4af28b628f68fb23908/app/services/wildcard_url_checker.rb#L4

… leading to any attempt to create a new user API key with fivem://accept-auth as redirect URI hitting a 403 without any information in /logs or on the end user’s screen.

rishabh · 31. Dezember 2019 um 09:10

Hi there,

Thanks for reporting this to us, we’ll get someone to look at it as soon as possible.

sam · 2. Januar 2020 um 02:22

Thanks for reporting this, we are looking at a fix so we auto whitelist fivem if we notice it in the allowed_user_api_auth_redirects list.

david · 2. Januar 2020 um 11:51

I opened a PR here:

https://github.com/discourse/discourse/pull/8651

We check the entire URL (including protocol) against the site setting list, so I don’t think there is any need for a specific whitelist.

david · 2. Januar 2020 um 16:53

This is now merged. @blattersturm if you update to the latest version, the problem should be resolved.

david · 6. Januar 2020 um 18:00

This topic was automatically closed after 4 days. New replies are no longer allowed.

Thema		Antworten	Aufrufe
Support wildcard in "allowed user api auth redirects" setting Feature	0	637	15. Dezember 2018
Non-http(s) urls in posts not hyperlinking properly Support	20	2259	8. November 2016
URL validation for "Web Site" on user profile Feature	5	1522	5. Februar 2016
Links with protocol other than http? Support docker , markdown	5	1848	19. Oktober 2018
Show full website path on user profile regardless of domain UX	12	1704	11. April 2016

Wildcard URL checker has hardcoded protocol allow list

Verwandte Themen