summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDouwe Maan <douwe@selenight.nl>2017-01-29 15:31:13 -0600
committerDouwe Maan <douwe@selenight.nl>2017-02-06 16:12:23 -0600
commit5bf22606efa37f88a0f440205ff013d20227bd5e (patch)
treee9a0f92e8c312b47bd743bf604f804c7182bb5f5
parent27f2ca94181880861269a7ddc07ae0d50a656d35 (diff)
downloadgitlab-ce-5bf22606efa37f88a0f440205ff013d20227bd5e.tar.gz
Fix XSS issue by not using URI.join
-rw-r--r--app/models/environment.rb3
1 files changed, 1 insertions, 2 deletions
diff --git a/app/models/environment.rb b/app/models/environment.rb
index 909249dacca..ed18e6bdea1 100644
--- a/app/models/environment.rb
+++ b/app/models/environment.rb
@@ -185,8 +185,7 @@ class Environment < ActiveRecord::Base
public_path = project.public_path_for_source_path(path, commit_sha)
return unless public_path
- # TODO: Verify this can't be used for XSS
- URI.join(external_url, public_path).to_s
+ [external_url, public_path].join('/')
end
private