Revert "Merge pull request matrix-org#7153 from matrix-org/babolivier…

…/sso_whitelist_login_fallback" This was incorrectly merged to master. This reverts commit 319c41f, reversing changes made to 229eb81.
phil-flex · May 15, 2020 · 99ece2e · 99ece2e
1 parent b799926
commit 99ece2e
Show file tree

Hide file tree

Showing 4 changed files with 1 addition and 28 deletions.
diff --git a/changelog.d/7153.feature b/changelog.d/7153.feature
diff --git a/docs/sample_config.yaml b/docs/sample_config.yaml
@@ -1392,10 +1392,6 @@ sso:
  # phishing attacks from evil.site. To avoid this, include a slash after the
  # hostname: "https://my.client/".
  #
- # If public_baseurl is set, then the login fallback page (used by clients
- # that don't natively support the required login flows) is whitelisted in
- # addition to any URLs in this list.
- #
  # By default, this list is empty.
  #
  #client_whitelist:

diff --git a/synapse/config/sso.py b/synapse/config/sso.py
@@ -39,17 +39,6 @@ def read_config(self, config, **kwargs):
 
  self.sso_client_whitelist = sso_config.get("client_whitelist") or []
 
- # Attempt to also whitelist the server's login fallback, since that fallback sets
- # the redirect URL to itself (so it can process the login token then return
- # gracefully to the client). This would make it pointless to ask the user for
- # confirmation, since the URL the confirmation page would be showing wouldn't be
- # the client's.
- # public_baseurl is an optional setting, so we only add the fallback's URL to the
- # list if it's provided (because we can't figure out what that URL is otherwise).
- if self.public_baseurl:
- login_fallback_url = self.public_baseurl + "_matrix/static/client/login"
- self.sso_client_whitelist.append(login_fallback_url)
-
  def generate_config_section(self, **kwargs):
  return """\
  # Additional settings to use with single-sign on systems such as SAML2 and CAS.
@@ -65,10 +54,6 @@ def generate_config_section(self, **kwargs):
  # phishing attacks from evil.site. To avoid this, include a slash after the
  # hostname: "https://my.client/".
  #
- # If public_baseurl is set, then the login fallback page (used by clients
- # that don't natively support the required login flows) is whitelisted in
- # addition to any URLs in this list.
- #
  # By default, this list is empty.
  #
  #client_whitelist:

diff --git a/tests/rest/client/v1/test_login.py b/tests/rest/client/v1/test_login.py
@@ -350,14 +350,7 @@ def test_cas_redirect_confirm(self):
  def test_cas_redirect_whitelisted(self):
  """Tests that the SSO login flow serves a redirect to a whitelisted url
  """
- self._test_redirect("https://legit-site.com/")
-
- @override_config({"public_baseurl": "https://example.com"})
- def test_cas_redirect_login_fallback(self):
- self._test_redirect("https://example.com/_matrix/static/client/login")
-
- def _test_redirect(self, redirect_url):
- """Tests that the SSO login flow serves a redirect for the given redirect URL."""
+ redirect_url = "https://legit-site.com/"
  cas_ticket_url = (
  "/_matrix/client/r0/login/cas/ticket?redirectUrl=%s&ticket=ticket"
  % (urllib.parse.quote(redirect_url))