[openstreetmap/openstreetmap-website] Add localhost to allowed http redirect_uris for OAuth (PR #4287)
Sam
notifications at github.com
Thu Oct 12 10:08:49 UTC 2023
Fixes #3613
One line change to add "localhost" to the list of allowed OAuth2 http redirects (along with 127.0.0.1 currently).
As suggested by this comment: https://github.com/openstreetmap/openstreetmap-website/issues/3613#issuecomment-1193399513 the security implications should be minimal.
localhost should resolve to loopback 127.0.0.1 on most systems and the auth code obtained should not be leaked externally.
The circumstance where this is in issue is on compromised systems, where the DNS resolution can be manipulated.
You can view, comment on, or merge this pull request online at:
https://github.com/openstreetmap/openstreetmap-website/pull/4287
-- Commit Summary --
* fix(oauth): add localhost to allowed http redirect_uris
-- File Changes --
M config/initializers/doorkeeper.rb (4)
-- Patch Links --
https://github.com/openstreetmap/openstreetmap-website/pull/4287.patch
https://github.com/openstreetmap/openstreetmap-website/pull/4287.diff
--
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/pull/4287
You are receiving this because you are subscribed to this thread.
Message ID: <openstreetmap/openstreetmap-website/pull/4287 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20231012/9e7b47c6/attachment.htm>
More information about the rails-dev
mailing list