Since the following commit:
committed 02:29PM - 13 Dec 19 UTC
a hardcoded list of allowed protocols has been added, ignoring what we have configured in the administration UI:
# frozen_string_literal: true
module WildcardUrlChecker
VALID_PROTOCOLS = %w(http https discourse).freeze
def self.check_url(url, url_to_check)
return nil if !valid_url?(url_to_check)
escaped_url = Regexp.escape(url).sub("\\*", '\S*')
url_regex = Regexp.new("\\A#{escaped_url}\\z", 'i')
url_to_check.match(url_regex)
end
… leading to any attempt to create a new user API key with fivem://accept-auth as redirect URI hitting a 403 without any information in /logs or on the end user’s screen.
5 Me gusta
Hi there,
Thanks for reporting this to us, we’ll get someone to look at it as soon as possible.
2 Me gusta
sam
2 Enero, 2020 02:22
11
Thanks for reporting this, we are looking at a fix so we auto whitelist fivem if we notice it in the allowed_user_api_auth_redirects list.
4 Me gusta
david
2 Enero, 2020 11:51
13
I opened a PR here:
master ← davidtaylorhq:wildcard-url-checker-protocol
merged 04:03PM - 02 Jan 20 UTC
This is required for people using apps with custom protocols. We still verify th… e entire URL (including protocol) against the site setting value.
Refactored wildcard_url_checker so that it always returns a boolean, rather than sometimes returning a regex match.
We check the entire URL (including protocol) against the site setting list, so I don’t think there is any need for a specific whitelist.
8 Me gusta
david
2 Enero, 2020 16:53
14
This is now merged. @blattersturm if you update to the latest version, the problem should be resolved.
7 Me gusta
david
6 Enero, 2020 18:00
15
This topic was automatically closed after 4 days. New replies are no longer allowed.
