diff options
author | Stan Hu <stanhu@gmail.com> | 2018-07-18 08:50:08 +0300 |
---|---|---|
committer | Stan Hu <stanhu@gmail.com> | 2018-07-19 13:14:07 +0300 |
commit | 50ff36265016728ab9372bff6b16b49e2d2364d6 (patch) | |
tree | 68e7163f33dcee73ae80f3c90963b5280b4277c7 /lib/gitlab/url_sanitizer.rb | |
parent | 98eccfc44c597ba14939659ca3b9150197129961 (diff) |
Escape username and password in UrlSanitizer#full_url
If a user uses a password with certain characters (e.g. /, #, +, etc.)
UrlSanitizer#full_url will generate an invalid URL that cannot be
parsed properly by Addressable::URI. If used with UrlBlocker, this
will be flagged as an invalid URI.
Diffstat (limited to 'lib/gitlab/url_sanitizer.rb')
-rw-r--r-- | lib/gitlab/url_sanitizer.rb | 15 |
1 files changed, 9 insertions, 6 deletions
diff --git a/lib/gitlab/url_sanitizer.rb b/lib/gitlab/url_sanitizer.rb index de8b6ec69ce..308a95d2f09 100644 --- a/lib/gitlab/url_sanitizer.rb +++ b/lib/gitlab/url_sanitizer.rb @@ -71,12 +71,10 @@ module Gitlab def generate_full_url return @url unless valid_credentials? - @full_url = @url.dup - - @full_url.password = credentials[:password] if credentials[:password].present? - @full_url.user = credentials[:user] if credentials[:user].present? - - @full_url + @url.dup.tap do |generated| + generated.password = encode_percent(credentials[:password]) if credentials[:password].present? + generated.user = encode_percent(credentials[:user]) if credentials[:user].present? + end end def safe_url @@ -89,5 +87,10 @@ module Gitlab def valid_credentials? credentials && credentials.is_a?(Hash) && credentials.any? end + + def encode_percent(string) + # CGI.escape converts spaces to +, but this doesn't work for git clone + CGI.escape(string).gsub('+', '%20') + end end end |