Since the following commit:
committed 02:29PM - 13 Dec 19 UTC
a hardcoded list of allowed protocols has been added, ignoring what we have configured in the administration UI:
# frozen_string_literal: true
module WildcardUrlChecker
VALID_PROTOCOLS = %w(http https discourse).freeze
def self.check_url(url, url_to_check)
return nil if !valid_url?(url_to_check)
escaped_url = Regexp.escape(url).sub("\\*", '\S*')
url_regex = Regexp.new("\\A#{escaped_url}\\z", 'i')
url_to_check.match(url_regex)
end
… leading to any attempt to create a new user API key with fivem://accept-auth as redirect URI hitting a 403 without any information in /logs or on the end user’s screen.
5 Likes
rishabh
December 31, 2019, 9:10am
3
Hi there,
Thanks for reporting this to us, we’ll get someone to look at it as soon as possible.
2 Likes
sam
January 2, 2020, 2:22am
11
Thanks for reporting this, we are looking at a fix so we auto whitelist fivem if we notice it in the allowed_user_api_auth_redirects list.
4 Likes
david
January 2, 2020, 11:51am
13
I opened a PR here:
master ← davidtaylorhq:wildcard-url-checker-protocol
merged 04:03PM - 02 Jan 20 UTC
This is required for people using apps with custom protocols. We still verify th… e entire URL (including protocol) against the site setting value.
Refactored wildcard_url_checker so that it always returns a boolean, rather than sometimes returning a regex match.
We check the entire URL (including protocol) against the site setting list, so I don’t think there is any need for a specific whitelist.
8 Likes
david
January 2, 2020, 4:53pm
14
This is now merged. @blattersturm if you update to the latest version, the problem should be resolved.
7 Likes
david
January 6, 2020, 6:00pm
15
This topic was automatically closed after 4 days. New replies are no longer allowed.
