What steps will reproduce the problem?
(1) Buy a domain
(2) Set your DNS to point at Rietveld
(3) Using your custom domain, view/edit an issue
What is the expected output?
(4) The generated email will link users to the issue
What do you see instead?
(4) The generated email will link users to *the URL you were using to view the issue*. Which means that I, as the attacker, could then change my DNS entry to point wherever I want and hijack users who are clicking the link in the email.
Proposed resolution:
Only ever generate issue urls in a certain whitelist (the actual appspot domain, internal domains, and codereview.chromium.org).
Comment 1 by andyb...@chromium.org
, Aug 11 2016Status: Available (was: Untriaged)