From 9f465127592f2f3c893988daceaf608671da9df1 Mon Sep 17 00:00:00 2001 From: Christopher Speller Date: Sun, 2 Sep 2018 00:30:10 -0700 Subject: MM-11693 Allow connections to /plugins for interactive message buttons. (#9333) * Allow connetions to /plugins for interactive message buttons. * Adding siteurl to exclusions for AllowedUntrustedInternalConnections * Adding subpath support for allowing interactive message buttons plugin connections. --- app/post.go | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) (limited to 'app/post.go') diff --git a/app/post.go b/app/post.go index 312269772..30602b392 100644 --- a/app/post.go +++ b/app/post.go @@ -12,6 +12,7 @@ import ( "io" "net/http" "net/url" + "path" "regexp" "strings" @@ -882,7 +883,19 @@ func (a *App) DoPostAction(postId, actionId, userId, selectedOption string) *mod req, _ := http.NewRequest("POST", action.Integration.URL, strings.NewReader(request.ToJson())) req.Header.Set("Content-Type", "application/json") req.Header.Set("Accept", "application/json") - resp, err := a.HTTPClient(false).Do(req) + + // Allow access to plugin routes for action buttons + var httpClient *http.Client + url, _ := url.Parse(action.Integration.URL) + siteURL, _ := url.Parse(*a.Config().ServiceSettings.SiteURL) + subpath, _ := utils.GetSubpathFromConfig(a.Config()) + if (url.Hostname() == "localhost" || url.Hostname() == "127.0.0.1" || url.Hostname() == siteURL.Hostname()) && strings.HasPrefix(url.Path, path.Join(subpath, "plugins")) { + httpClient = a.HTTPClient(true) + } else { + httpClient = a.HTTPClient(false) + } + + resp, err := httpClient.Do(req) if err != nil { return model.NewAppError("DoPostAction", "api.post.do_action.action_integration.app_error", nil, "err="+err.Error(), http.StatusBadRequest) } -- cgit v1.2.3-1-g7c22