Wildcard URL checker has hardcoded protocol allow list

blattersturm · 31 Dicembre 2019, 7:30am

Since the following commit:

https://github.com/discourse/discourse/commit/d8360b4c82ca34a5c570a4af28b628f68fb23908#diff-cafbd2eee0eb3198218bc6b0ef1c0fa0R4

a hardcoded list of allowed protocols has been added, ignoring what we have configured in the administration UI:

https://github.com/discourse/discourse/blob/d8360b4c82ca34a5c570a4af28b628f68fb23908/app/services/wildcard_url_checker.rb#L4

… leading to any attempt to create a new user API key with fivem://accept-auth as redirect URI hitting a 403 without any information in /logs or on the end user’s screen.

rishabh · 31 Dicembre 2019, 9:10am

Hi there,

Thanks for reporting this to us, we’ll get someone to look at it as soon as possible.

sam · 2 Gennaio 2020, 2:22am

Thanks for reporting this, we are looking at a fix so we auto whitelist fivem if we notice it in the allowed_user_api_auth_redirects list.

david · 2 Gennaio 2020, 11:51am

I opened a PR here:

https://github.com/discourse/discourse/pull/8651

We check the entire URL (including protocol) against the site setting list, so I don’t think there is any need for a specific whitelist.

david · 2 Gennaio 2020, 4:53pm

This is now merged. @blattersturm if you update to the latest version, the problem should be resolved.

david · 6 Gennaio 2020, 6:00pm

This topic was automatically closed after 4 days. New replies are no longer allowed.

Argomento		Risposte	Visualizzazioni
Support wildcard in "allowed user api auth redirects" setting Feature	0	637	Dicembre 15, 2018
Non-http(s) urls in posts not hyperlinking properly Support	20	2258	Novembre 8, 2016
URL validation for "Web Site" on user profile Feature	5	1522	Febbraio 5, 2016
Links with protocol other than http? Support docker , markdown	5	1845	Ottobre 19, 2018
Show full website path on user profile regardless of domain UX	12	1704	Aprile 11, 2016

Wildcard URL checker has hardcoded protocol allow list

Argomenti correlati