possible #1615 solution: partial wildcard allowed-origins, with just … #1623
Conversation
…st protocol specified (for example "http://*") could use glob ** pattern in order to match any sequence of characters (even the separator). Signed-off-by: Aterocana <dominicimaurizio<at>gmail.com>
|
|
|
Awesome, thank you! Once the CLA is signed I'll merge this. Please comment once it's signed so I don't miss it! |
|
Yeah, It seems I used a different mail from GitHub's one. Let me check tomorrow, if necessary I'll do a different pr. |
|
I actually signed it, but it says I don't. Is it normal? |
|
Hm, it says:
It also appears that your commit is not actually attributed to your GitHub account, as indicated by the greyed-out image:
To see how to link the local git commit to GitHub, here's a guide: https://help.github.com/en/github/setting-up-and-managing-your-github-user-account/setting-your-commit-email-address Once the commit has the right metadata the toll should work :) Thank you!! |
|
I'm closing this since I recreated the PR due to git user used. Sorry. |
…protocol specified (for example "http://*") could use glob ** pattern in order to match any sequence of characters (even the separator).
Signed-off-by: Aterocana <dominicimauriziogmail.com>
Related issue
@aeneasras discussed in #1615 I'm proposing this fix.Proposed changes
Basically I think the issue here is the protocol is specified, but no domain is: for example https://*.
Internally glob.Glob is compiled (with glob.Compile) with the provided string and
'.'rune separator. Sinceg:=glob.Compile("https://*", '.')doesn't matchg.Match("http://foobar.com")due to.separator, we could useg:=glob.Compile("https://**", '.') to ignore.` separator in this specific case.In order to do so I simply tried to match if "://" substring is into an allowed-origin string.
Checklist
vulnerability, I confirm that I got green light (please contact security@ory.sh) from the maintainers to push the changes.
Further comments