diff options
author | Douwe Maan <douwe@gitlab.com> | 2015-04-10 18:27:42 +0200 |
---|---|---|
committer | Douwe Maan <douwe@gitlab.com> | 2015-04-10 18:30:49 +0200 |
commit | 6cf7dd625a7db143c146de1b146cba7dbcbc2576 (patch) | |
tree | 71155400960473dce634f4a18721c5be1fe8e798 | |
parent | 24d139ba971cf61a4b7a01031c4c57bcba29b172 (diff) | |
download | gitlab-ce-6cf7dd625a7db143c146de1b146cba7dbcbc2576.tar.gz |
Fix persistent XSS vulnerability around profile website URLs.
-rw-r--r-- | CHANGELOG | 2 | ||||
-rw-r--r-- | app/models/user.rb | 4 |
2 files changed, 4 insertions, 2 deletions
diff --git a/CHANGELOG b/CHANGELOG index 0878c03207b..3c119a93d36 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,6 +1,8 @@ Please view this file on the master branch, on stable branches it's out of date. v 7.10.0 (unreleased) + - Fix persistent XSS vulnerability around profile website URLs. + - Fix broken file browsing with a submodule that contains a relative link (Stan Hu) - Fix bug where Wiki pages that included a '/' were no longer accessible (Stan Hu) - Fix bug where error messages from Dropzone would not be displayed on the issues page (Stan Hu) - Add ability to configure Reply-To address in gitlab.yml (Stan Hu) diff --git a/app/models/user.rb b/app/models/user.rb index 515f29ea0ba..e2b6757bc4d 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -486,13 +486,13 @@ class User < ActiveRecord::Base end def full_website_url - return "http://#{website_url}" if website_url !~ /^https?:\/\// + return "http://#{website_url}" if website_url !~ /\Ahttps?:\/\// website_url end def short_website_url - website_url.gsub(/https?:\/\//, '') + website_url.sub(/\Ahttps?:\/\//, '') end def all_ssh_keys |