sjyangkevin commented on issue #55473: URL: https://github.com/apache/airflow/issues/55473#issuecomment-3294613662
Open the PR to include fix and updated tests related to the encoding issue, but would like to see if @Steexyz has further feedback related to > > @Steexyz do you mean it's working now that you set the AIRFLOW__WEBSERVER__BASE_URL ? Also if it wasn't set at all it should have worked because we check the next url against the request.base_url. > > Maybe request.base_url is wrong here, and do not point to the request referrer url (client side) but instead to the fastapi app url. The idea was to consider that it is safe to redirect the user to a subpath of the domain/path he is currently on. > > I guess redirecting to a subpath of the webserver is fine too. It should be trusted as well. > > Summary we might just be missing one case, verify that request.base_url points to the target url, and not the referrer url: > > If that is not the case, then I do not understand what is happening and more investigation need to happen > If that is the case, then we can leave that case but we also need to add a case for considering the referrer request as 'safe' that would solve the problem. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
