Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Delete URL warning to links for outbound link signing and redirects #267

Open
mariobehling opened this issue Feb 13, 2025 · 1 comment · May be fixed by #282
Open

Delete URL warning to links for outbound link signing and redirects #267

mariobehling opened this issue Feb 13, 2025 · 1 comment · May be fixed by #282
Assignees
@hongquan
Labels
bug

Comments

@mariobehling
Copy link
Member

mariobehling commented Feb 13, 2025
edited
Loading

Pretalx added a commit that adds a signage "you are accessing an outside link" as a default to the platform. As we have different subdomains and specific organiser links this is not useful for us.

Simply reverting the following commit results in a 500 error. Find an option to get rid of the message / delete the URL warning to links for outbound link signing and redirects.

Related commit: cc39b03
@mariobehling mariobehling changed the title Revert commit Provide outbound link signing and redirects Delete URL warning to links for outbound link signing and redirects Feb 16, 2025
@hongquan
Copy link
Member

Turn out that the cause is our misconfiguration. This is the line of code which check if the link is leading to outside:

eventyay-talk/src/pretalx/common/views/redirect.py

Line 20 in bfe9a8a

return (referer.scheme, referer.netloc) == (request.scheme, request.get_host())

referer is the URL of original page (where we saw the link and we clicked), like https://app.eventyay.com/talk/orga/event/moon-night-2025/mails/1/, request is the target URL,like https://app.eventyay.com/talk/moon-night-2025/me/submissions/QQSD3B/. With proper setup, the above check will pass, because referer.netloc == request.get_host() == 'app.eventyay.com'.

But with current configuration, even if we already enable TLS, the request.scheme is still http, not https and make the above check fail.

@hongquan hongquan linked a pull request Feb 26, 2025 that will close this issue
Open
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@hongquan hongquan

Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix: Django not detect that our site is HTTPS hongquan/eventyay-talk
2 participants
@hongquan @mariobehling