diff options
author | Douwe Maan <douwe@selenight.nl> | 2017-01-29 15:31:13 -0600 |
---|---|---|
committer | Douwe Maan <douwe@selenight.nl> | 2017-02-06 16:12:23 -0600 |
commit | 5bf22606efa37f88a0f440205ff013d20227bd5e (patch) | |
tree | e9a0f92e8c312b47bd743bf604f804c7182bb5f5 | |
parent | 27f2ca94181880861269a7ddc07ae0d50a656d35 (diff) | |
download | gitlab-ce-5bf22606efa37f88a0f440205ff013d20227bd5e.tar.gz |
Fix XSS issue by not using URI.join
-rw-r--r-- | app/models/environment.rb | 3 |
1 files changed, 1 insertions, 2 deletions
diff --git a/app/models/environment.rb b/app/models/environment.rb index 909249dacca..ed18e6bdea1 100644 --- a/app/models/environment.rb +++ b/app/models/environment.rb @@ -185,8 +185,7 @@ class Environment < ActiveRecord::Base public_path = project.public_path_for_source_path(path, commit_sha) return unless public_path - # TODO: Verify this can't be used for XSS - URI.join(external_url, public_path).to_s + [external_url, public_path].join('/') end private |