MBS-11328: Regression: Approving an edit redirects to home page #1861
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This only occurred when approving from an edit page (e.g. /edit/123), not from an edit listing. The issue is that while 69df512 improved the security of `returnto` by preventing it from redirecting to external URLs, it did this by ignoring any URL with an authority set. We want to be a bit more lax and accept absolute URLs that point to musicbrainz.org or the current web server. Tested the change manually on my mirror server.
reosarevok
added
the
Regression/Beta
yvanzo
approved these changes
Jan 18, 2021
reosarevok
added a commit
that referenced
this pull request
Feb 1, 2021
* beta: Update POT files using the production database Revert "MBS-11268: Show "Set track durations" on release/discids" Update translations from Transifex Update POT files using the production database Update translations from Transifex Simplify bottom links to avoid translation parameters (#1884) MBS-11353: Allow empty row in multiple select (#1883) Update POT files using the production database Update translations from Transifex Make component and file names consistent Remove no longer used error TT components MBS-11112: Convert 500 error page to React MBS-11112: Convert timeout error page to React MBS-11112: Convert 403 mirror error page to React MBS-11112: Convert 404 mirror error page to React Allow className for AnchorProps Change the stash assignment method for consistency MBS-11112: Convert 403 error page to React MBS-11112: Convert 503 error page to React MBS-11112: Convert 401 error page to React MBS-11112: Convert 400 error page to React MBS-11112: Convert ErrorInfo to React MBS-11112: Convert ErrorEnvironment to React Make description optional in bugTrackerURL Convert forward to detach for always-detaching errors Generalize error layout MBS-11351: Sort instrument reports by name before type (#1880) Show message if no added entities rather than empty table Prevent linking release to Wikidata/Wikipedia Add missing comma MBS-11288: Drop decoda.com from lyrics whitelist (#1837) MBS-11123: Hide empty rows of the 'Added entities' table MBS-10187: "Merge artists" edit is stuck Avoid hardcoding group artist types s/existant/existent/g Factor out conditional_merge_column_query MBS-11348: improve report description text MBS-11344: Validate rateyourmusic URLs MBS-11123: Add new entities type to editor statistics MBS-11123: Add message about the editor statistics not being real-time Improve flow typing for recordings and ACs MBS-10872: Add missing colSpan on Edit Medium MBS-11045: Convert Edit medium edit to React MBS-11123: Restrict 'Added entities' edits counted to applied edits MBS-11348: Add link to specific release on the cdtoc page from the report Add anchor in cdtoc table of attached releases MBS-11348: New report about discIDs attached to a medium but not applied MBS-11346: Use medium_format ids in SQL query Update POT files using the production database Update translations from Transifex MBS-11310: Clarify when discid would cause subsecond changes (#1844) Use artist name for empty AC name in /ws/js/edit MBS-11332: Don't double-bracket ended in track rels view (#1864) MBS-11327: Show CAA icons on release search results (#1866) MBS-4782 / MBS-11333: Pass original MBID to AddCoverArt if no release (#1867) MBS-11336: Don't show ended rels in DeprecatedRelationshipURL (#1870) MBS-11328: Approving an edit redirects to home page (#1861) Add runReducer to FormRowSortNameWithGuessCase Add runReducer to FormRowNameWithGuessCase MBS-11168: Convert Delete Alias form to React Better UI for disabling fields for search hints MBS-11168: Convert add/edit alias form to React Convert date_range_fieldset to React Allow PartialDate form files to work with state Avoid tests breaking on move to React Refactor subfieldErrors / FieldErrors Port form_row_sortname_with_guesscase to React Preparing chooseLayoutComponent for AliasEditForm Preparing EnterEdit for AliasEditForm Preparing FormRowText for AliasEditForm Preparing FormRowPartialDate for AliasEditForm Preparing FormRowSelect for AliasEditForm Preparing FormRowCheckbox for AliasEditForm MBS-11344: Use HTTPS for rateyourmusic URLs More specific entry in dependencies array MBS-11277: Convert Other Lookups results to React Move release language block to reusable component Remove (seemingly unused) generic otherlookups results page MBS-11279: Make ISWC otherlookups go to ISWC page Remove now unused taglookup/form MBS-10996: Convert search index to React MBS-10995: Convert Other Lookups form to React MBS-11346: Add 8cm CDs to the report MBS-11346: Exclude CD-R from report MBS-11346: Lower duration threshold on dubious duration discID report MBS-11289: Stop autocleaning YouTube Music -> YouTube (#1835) MBS-11111: Set edit_pendings on recordings merged with release (#1774) MBS-11256: Make adding tracklist to empty medium an autoedit (#1815) Remove seemingly unneeded & from regex MBS-11324: Trim input in the barcode otherlookups field (#1855) MBS-11340: Allow more characters on Spotify user URLs Remove extra spaces MBS-11268: Show "Set track durations" on release/discids (#1822) MBS-10999: Make adding first IPI/ISNI an auto-edit Support other gettext functions in localized_note MBS-11322: Recognise old RA links and ask to follow the redirect MBS-11322: Update Resident Advisor favicon MBS-11322: Add validation to Resident Advisor URLs MBS-9840: Add Overture by Doremus to the otherdbs whitelist (#1810) Add `deleted` to sanitizedEditorProps check MBS-11292: Do not use UN flag for [Worldwide] (#1836) MBS-11317: Avoid breaking annotation formatting in RE (#1852) MBS-8028: Allow editing series type to any with same entity type (#1825) MBS-10830: Only show Remove link if entity can be removed (#1843) MBS-10915: Show "Remove track" button for data tracks even with discid (#1841) Add focusin/focusout polyfill for Firefox MBS-11322: Update Resident Advisor to new ra.co domain Split BBC and Resident Advisor review sections MBS-11297: Block adding Wikipedia/Wikidata as license to releases MBS-11297: Block adding Wikipedia/Wikidata as show notes to releases MBS-11296: Block adding Wikidata as discography entry to releases Use formatCount for tag and artist credit usage counts MBS-4548: Allow seeing all uses of an artist credit MBS-1459: Only display artist overview nav links when relevant Remove useless sub deflate MBS-9674: Support internationalized domains in URL forms MBS-1459: Add checks for different RG queries Eslint fixes: react/jsx-boolean-value (auto) Eslint fixes: import/newline-after-import (auto) Eslint fixes: multiline-comment-style Eslint fixes: no-multiple-empty-lines (autofixes) Eslint fixes: no-trailing-spaces (autofixes) Eslint fixes: function-paren-newline Eslint fixes: comma-dangle (autofixed) Eslint fixes: array-element-newline Eslint fixes: no-multi-spaces Eslint fixes: no-extra-semi Ignore eslint issues in flow-typed he file
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This only occurred when approving from an edit page (e.g. /edit/123), not from an edit listing.
The issue is that while 69df512 improved the security of
returntoby preventing it from redirecting to external URLs, it did this by ignoring any URL with an authority set. We want to be a bit more lax and accept absolute URLs that point to musicbrainz.org or the current web server.Tested the change manually on my mirror server.