diff options
author | Dmitriy Zaporozhets <dzaporozhets@gitlab.com> | 2015-04-12 10:36:40 +0300 |
---|---|---|
committer | Dmitriy Zaporozhets <dzaporozhets@gitlab.com> | 2015-04-12 10:36:40 +0300 |
commit | f244914402aa6b1882671824a1a98d801cd5c45c (patch) | |
tree | 9f7ccd4be20a664102e356c6b9f3f1e6c7da4ccf /app/helpers/submodule_helper.rb | |
parent | 9df14763057359a02daa3b7673cbbeb145e14420 (diff) | |
parent | 0988be4efa8c9db6b3adcecdbad97367e837961f (diff) |
Merge branch 'regex-start-of-string' into 'master'
Fix persistent XSS vulnerability around profile website URLs.
Fixes gitlab/gitlab-ee#268
See merge request !1761
Diffstat (limited to 'app/helpers/submodule_helper.rb')
-rw-r--r-- | app/helpers/submodule_helper.rb | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/app/helpers/submodule_helper.rb b/app/helpers/submodule_helper.rb index 99231084cfe..9954617c762 100644 --- a/app/helpers/submodule_helper.rb +++ b/app/helpers/submodule_helper.rb @@ -44,7 +44,7 @@ module SubmoduleHelper def relative_self_url?(url) # (./)?(../repo.git) || (./)?(../../project/repo.git) ) - url =~ /^((\.\/)?(\.\.\/))(?!(\.\.)|(.*\/)).*\.git\Z/ || url =~ /^((\.\/)?(\.\.\/){2})(?!(\.\.))([^\/]*)\/(?!(\.\.)|(.*\/)).*\.git\Z/ + url =~ /\A((\.\/)?(\.\.\/))(?!(\.\.)|(.*\/)).*\.git\z/ || url =~ /\A((\.\/)?(\.\.\/){2})(?!(\.\.))([^\/]*)\/(?!(\.\.)|(.*\/)).*\.git\z/ end def standard_links(host, namespace, project, commit) |