Merge branch 'security-11-5-stored-xss-for-environments' into 'security-11-5'

[11.5] Stored XSS for Environments See merge request gitlab/gitlabhq!2614
author: Steve Azzopardi <sazzopardi@gitlab.com> 2018-11-23 11:06:13 +0300
committer: Steve Azzopardi <sazzopardi@gitlab.com> 2018-11-23 11:06:13 +0300
commit: b9a9d2f0f2785cebecf7d89d2506f453fb17341c (patch)
tree: 9f852cf73a6bd77bc813d27f5d343e06ba884f5d /lib
parent: 24ef94f3bdfc983e59b1858b16aed9acc932c8b3 (diff)
parent: 671c6036a3bb0b3ddfb80e02a3a58afad087668f (diff)
1 files changed, 4 insertions, 2 deletions
diff --git a/lib/gitlab/url_blocker.rb b/lib/gitlab/url_blocker.rb
index 86efe8ad114..4b1b58d68d8 100644
--- a/lib/gitlab/url_blocker.rb
+++ b/lib/gitlab/url_blocker.rb
@@ -111,12 +111,14 @@ module Gitlab
       end
 
       def internal_web?(uri)
-        uri.hostname == config.gitlab.host &&
+        uri.scheme == config.gitlab.protocol &&
+          uri.hostname == config.gitlab.host &&
           (uri.port.blank? || uri.port == config.gitlab.port)
       end
 
       def internal_shell?(uri)
-        uri.hostname == config.gitlab_shell.ssh_host &&
+        uri.scheme == 'ssh' &&
+          uri.hostname == config.gitlab_shell.ssh_host &&
           (uri.port.blank? || uri.port == config.gitlab_shell.ssh_port)
       end
author	Steve Azzopardi <sazzopardi@gitlab.com>	2018-11-23 11:06:13 +0300
committer	Steve Azzopardi <sazzopardi@gitlab.com>	2018-11-23 11:06:13 +0300
commit	b9a9d2f0f2785cebecf7d89d2506f453fb17341c (patch)
tree	9f852cf73a6bd77bc813d27f5d343e06ba884f5d /lib
parent	24ef94f3bdfc983e59b1858b16aed9acc932c8b3 (diff)
parent	671c6036a3bb0b3ddfb80e02a3a58afad087668f (diff)