-
Notifications
You must be signed in to change notification settings - Fork 990
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fixes #36644 - Validate root_url before using it #9795
Conversation
Issues: #36644 |
app/controllers/links_controller.rb
Outdated
@@ -1,5 +1,8 @@ | |||
TRUSTED_DOMAINS = ['theforeman.org', 'redhat.com', 'orcharhino.com'].freeze |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
are there any other domains that you'd need allowed in the redirection code (which is not hard coded in external_url
)?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thoughts on making it an item in SETTINGS
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
WWTD - what would Tomer do? ;-)
(no idea if this needs to be a setting, as I don't anticipate it to be changed by users, but can certainly make it one if that makes handling easier?)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think Tomer mostly had a problem with user visible settings, but I thought about something you can override in settings.yaml
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done that now
79a9637
to
6a6e1f1
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A note from a private conversation: once #9756 is merged we should consider logging a deprecation warning when root_url is passed.
6a6e1f1
to
bcf62d8
Compare
now, why did that not fire off jenkins? [test unit] |
@@ -28,6 +28,8 @@ | |||
|
|||
SETTINGS[:hosts] ||= [] | |||
|
|||
SETTINGS[:trusted_redirect_domains] ||= ['theforeman.org', 'redhat.com', 'orcharhino.com'].freeze |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
should this even be frozen? idk.
the only code I could find that could be affected by that is: but it seems to override the root_url after the request has been accepted, so it should not really be a problem? |
No description provided.