diff options
author | Jen-Shin Lin <jen-shin@gitlab.com> | 2017-10-17 13:12:24 +0300 |
---|---|---|
committer | Jen-Shin Lin <jen-shin@gitlab.com> | 2017-10-17 13:12:24 +0300 |
commit | 16b24606e7ae94c32c51e93aad93a9e4dd485f26 (patch) | |
tree | 2cf22ad1fb8b5efe0e35f8d4423a6681dc77d1a6 /lib/banzai/filter/sanitization_filter.rb | |
parent | ff3e5fa26d8506c571274b308881481fa552c20b (diff) | |
parent | 02fc18b5cc6223a129d6f6af1e8037736ce94462 (diff) |
Merge branch 'security-10-1' into '10-1-stable'
Security fixes for 10.1 RC
See merge request gitlab/gitlabhq!2209
Diffstat (limited to 'lib/banzai/filter/sanitization_filter.rb')
-rw-r--r-- | lib/banzai/filter/sanitization_filter.rb | 14 |
1 files changed, 12 insertions, 2 deletions
diff --git a/lib/banzai/filter/sanitization_filter.rb b/lib/banzai/filter/sanitization_filter.rb index d8c8deea628..6786b9d07b6 100644 --- a/lib/banzai/filter/sanitization_filter.rb +++ b/lib/banzai/filter/sanitization_filter.rb @@ -75,9 +75,19 @@ module Banzai begin node['href'] = node['href'].strip uri = Addressable::URI.parse(node['href']) - uri.scheme = uri.scheme.downcase if uri.scheme - node.remove_attribute('href') if UNSAFE_PROTOCOLS.include?(uri.scheme) + return unless uri.scheme + + # Remove all invalid scheme characters before checking against the + # list of unsafe protocols. + # + # See https://tools.ietf.org/html/rfc3986#section-3.1 + scheme = uri.scheme + .strip + .downcase + .gsub(/[^A-Za-z0-9\+\.\-]+/, '') + + node.remove_attribute('href') if UNSAFE_PROTOCOLS.include?(scheme) rescue Addressable::URI::InvalidURIError node.remove_attribute('href') end |