Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(sec): Getting wrong final URL (from redirect) on presentation upload #18494

Merged
merged 1 commit into from Aug 9, 2023
Merged

fix(sec): Getting wrong final URL (from redirect) on presentation upload #18494

merged 1 commit into from Aug 9, 2023

Conversation

gustavotrott
Copy link
Collaborator

@gustavotrott gustavotrott commented Aug 9, 2023
edited

The function followRedirect was supposed to obtain the final URL when the first URL is a redirect link.
Turned out that it is always returning the first URL instead of follow the redirect and return the final URL.

This PR fix it.

image

@sonarcloud
Copy link

sonarcloud bot commented Aug 9, 2023

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

No Coverage information No Coverage information
No Duplication information No Duplication information

@antobinary antobinary added this to the Release 2.7 milestone Aug 9, 2023
paultrudel
paultrudel approved these changes Aug 9, 2023
View reviewed changes
Copy link
Collaborator

@paultrudel paultrudel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Everything looks good!

To test this I created a fake "rogue" server to redirect requests to.

image

I sent the following request
curl -s -X POST "https://bbb27.test/bigbluebutton/api/insertDocument?meetingID=random-4046244&checksum=ff787fe2c57abeee1f9c0e454f5c40632185ff54" --header "Content-Type: application/xml" --data '<modules> <module name="presentation"> <document current="true" downloadable="true" url="https://699e-129-222-187-237.ngrok-free.app/a.txt" filename="a.txt"/> </module> </modules>'

Viewing the requests to the server we see that the no redirect occurred after the final URL resolved which is what was needed.

image

image

image

@gustavotrott gustavotrott merged commit 813bb07 into bigbluebutton:v2.7.x-release Aug 9, 2023
15 of 16 checks passed
@gustavotrott gustavotrott mentioned this pull request Aug 17, 2023
Merged
@antobinary antobinary changed the title fix (bbb-web): Getting wrong final URL (from redirect) on presentation upload fix(sec): Getting wrong final URL (from redirect) on presentation upload Aug 24, 2023
@gustavotrott gustavotrott deleted the fix-upload-follow-redirect branch March 11, 2024 16:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@paultrudel paultrudel paultrudel approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
Release 2.7
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@gustavotrott @paultrudel @antobinary