Don't follow the header x forwarded host by default#5899
Merged
tramuntanal merged 6 commits intodecidim:developfrom Apr 17, 2020
armandfardeau:fix/http_x_forwarded_host
Merged
Don't follow the header x forwarded host by default#5899tramuntanal merged 6 commits intodecidim:developfrom armandfardeau:fix/http_x_forwarded_host
tramuntanal merged 6 commits intodecidim:developfrom
armandfardeau:fix/http_x_forwarded_host
Conversation
tramuntanal
previously approved these changes
Apr 17, 2020
microstudi
pushed a commit
to Platoniq/decidim
that referenced
this pull request
Apr 17, 2020
* Don't follow the header x forwarded host by default * Use accessor directly * Add changelog entry Co-authored-by: Oliver Valls <oliver.vh@coditramuntana.com>
agustibr
pushed a commit
that referenced
this pull request
Apr 20, 2020
* Don't follow the header x forwarded host by default * Use accessor directly * Add changelog entry Co-authored-by: Oliver Valls <oliver.vh@coditramuntana.com>
faithngetich
pushed a commit
to faithngetich/decidim
that referenced
this pull request
Apr 28, 2020
* Don't follow the header x forwarded host by default * Use accessor directly * Add changelog entry Co-authored-by: Oliver Valls <oliver.vh@coditramuntana.com>
ace
pushed a commit
to aspgems/decidim
that referenced
this pull request
Apr 29, 2020
* develop: (65 commits) Add newsletter templates (decidim#5887) Send email with order summary on order checkout (decidim#6006) Change small details on documentation (decidim#5890) feat(budgets): Projects filter by multiple categories (decidim#5992) Participant renewable verifications (decidim#5854) Update .simplecov (decidim#5949) Remove legacy assembly types (decidim#5617) Don't follow the header x forwarded host by default (decidim#5899) Add two CTA on initiative (decidim#5838) Conversations with more than one participant (decidim#5861) Fix supported versions in SECURITY.md (decidim#5957) Add a parameter to specify a list of whitelist ip on /system (decidim#5669) Fix error 500 when showing new debate notifications (decidim#5964) Upgrade sassc and sassc-rails dependency (decidim#5910) Add minimum projects rule to Budgets (decidim#5865) Update changelog with current develop Fix bad formatted changelog entries fix move proposal endorsements migration (decidim#5953) Fix the scopes picker rendereding escaped characters (decidim#5939) Revert "Fix the scopes picker rendereding escaped characters (decidim#5793)" (decidim#5937) ...
microstudi
added a commit
that referenced
this pull request
May 21, 2020
* permit user_groups to be part in a conversation * display avatars always in 1:1 proportion with cover object fit * show groups in conversations page * show different messages per mailbox * enable responding group conversations * revert avatar changes * revert mailbox group messages handeling * add cuser_conversation controller * add user_conversation controller specs * Fix supported versions in SECURITY.md (#5957) * Fix supported versions in SECURITY.md * Add changelog entry * Conversations with more than one participant (#5861) * Allow to create conversations with more than one participant * Added new form param to converstation controller * Check conversation with multiple users * Clean code debugs * Added changelog file * Cleans debug code line * Fixes rubocop offenses * Fixes some js lints * Disable mentioning users with notifications disabled * Fixes a) some js linter issues b) refactor some helper methods c) added more conversation_controller_spec tests * Adds multiple participants's conversations rspec tests * Add validations for avoiding selecting users with disabled notifications for conversations * Add test for mention with disabled users * Fixes a) unused translations tags b) Fixed conversations index test * Fixes js linter issues * Fixes a) conversation form validator b) conversations controller test * Normalizes en.yml locales file * Fixes linter conversation index erb template * Add start_conversation_dialog.js to precompiler * Fixes conversation js tag dependency * Applies some PR's CR suggestions: a) Move deleteRecipient method inside anonymous function b) * Modification of name class for disabled tribute element and modification of jquery selector by javascript selector on tribute.js library * Fix users on selectable mention list shown disabled by acceptance of conversation value * Fixes multiple mention dropdown style. Adds no results translation * Normalizes locale en.yml file * Remove scope selecting only follower user due to a subsequent validation * Adds avatar to user's dropdown multi-mention, to be like mention * Fixes a) js includes b) enlights multiple mention input placeholder * Rename disabledNotifications by directMessagesEnabled field on api * Rewrite context message on conversations_spec.rb on mentioned list * Add initial comment to inform that the original file is modified to include a modification on click event * Fix lint errors * Remove defined field directMessagesEnabled from author_interface and user_group_type and change api call from input_multiple_mentions.js.es6 * Fixes some styling changes to add users to conversation modal dialog * Fixes a) unnecessary setTime function call b) change on input placeholder c) adds extra label with max users information d) some translations * Modify user presenter to return boolean on directMessagesEnabled * Add spec for directMessagesEnabled * Fix lint rubocop issues * Adds a debounce delay call to avoid api calls when keys are pressed so fast * Fixed translations en.yml lint * Adds some accessibility functionality on New Conversation modal * Fixes some lints * Update CHANGELOG.md Co-Authored-By: Ivan Vergés <ivan@platoniq.net> * Adds some more aria pattern to relate label and input elements * Update decidim-core/app/presenters/decidim/user_presenter.rb Co-Authored-By: Ivan Vergés <ivan@platoniq.net> * Fixes bad code review merge for api user presenter * Fixes linter issue Co-authored-by: Ivan Molinero <ivan.mr@coditramuntana.com> Co-authored-by: Jesús Di Bari <jesus.db@coditramuntana.com> Co-authored-by: Ivan Vergés <ivan@platoniq.net> * Add two CTA on initiative (#5838) * Add two cta on initiative * Normalize locales * Normalize locales * Add changelog entry * Update cta redirection (#9) * erb files linting * change cta redirection to initiatives_path * Use EngineRouter main_proxy for redirection * Add two missing tests (#5) Co-authored-by: Armand Fardeau <armandfardeau@users.noreply.github.com> Co-authored-by: Quentin Champ <26109239+Quentinchampenois@users.noreply.github.com> Co-authored-by: Oliver Valls <oliver.vh@coditramuntana.com> * Don't follow the header x forwarded host by default (#5899) * Don't follow the header x forwarded host by default * Use accessor directly * Add changelog entry Co-authored-by: Oliver Valls <oliver.vh@coditramuntana.com> * Remove legacy assembly types (#5617) * migration to remove legacy fields * fix changelog * rename migration Co-authored-by: Oliver Valls <oliver.vh@coditramuntana.com> * add groups to multiple conversations * add groups to spec system conversations * generalize sender in conversation commands * add form and listing in user_group_controller * [WIP] add from parameter to messages for create receipts in groups * create receipts and send emails for members of groups * new conversation in profile (WIP) * new conversation (WIP2) * new messages working. pagination * distinct messages for and as a group * prevent users to receive emails if have direct messages disabled * complete permissions specs * add user_conversations controller specs * add start and reply conversation spec cases * add profile conversations system specs * complete specs for profile conversations * add changelog * add badge of total number of unreaded messages * add styling for conversations list * apply new design to conversation thread * apply linter * bundle javascript * fix assets assignation in object Decidim * fix tests for the new design * improve conversations model tests * move css helpers from initiatives to core * adjust design in profile and user conversations * fix missing templates in ajax updates * fix create conversation * fix css padding * style fix * fix message receipts count in conversation pages * document why there's a function returning true only * fix number of receipts counter in group * add specs for conversation page Co-authored-by: Oliver Valls <oliver.vh@coditramuntana.com> Co-authored-by: Ramon Costa <ramon.costa@gmail.com> Co-authored-by: Ivan Molinero <ivan.mr@coditramuntana.com> Co-authored-by: Jesús Di Bari <jesus.db@coditramuntana.com> Co-authored-by: Armand Fardeau <armandfardeau@users.noreply.github.com> Co-authored-by: Quentin Champ <26109239+Quentinchampenois@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🎩 What? Why?
If a caching system is in place, following the http_x_forward_host header can allow cache and log poisoning attacks, allowing attackers to control the contents of caches and logs that could be used for other attacks.
📌 Related Issues
📋 Subtasks
CHANGELOGentry