daviftorres commented on code in PR #12078:
URL: https://github.com/apache/cloudstack/pull/12078#discussion_r2534534377
##########
server/src/main/java/org/apache/cloudstack/user/UserPasswordResetManagerImpl.java:
##########
@@ -179,10 +180,14 @@ public void setResetTokenAndSend(UserAccount userAccount)
{
final String email = userAccount.getEmail();
final String username = userAccount.getUsername();
final String subject = "Password Reset Request";
- final String domainUrl = UserPasswordResetDomainURL.value();
+ String domainUrl = UserPasswordResetDomainURL.value();
+ if (StringUtils.isBlank(domainUrl)) {
+ domainUrl = ManagementServerAddresses.value().split(",")[0];
+ }
+ domainUrl = domainUrl.trim().replaceAll("/+$", "");
Review Comment:
Good point, @DaanHoogland. While the extra `/` usually won’t cause issues,
it could create problems in environments where admins use a reverse proxy with
strict access rules for the reset-password URL.
For example, some organization could only allow access to password-reset
endpoints from the office network or over the company VPN. This would reduce
the attack surface to a very sensitive endpoint that is often forgotten.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
