Fix persistent XSS vulnerability around profile website URLs.

author: Douwe Maan <douwe@gitlab.com> 2015-04-10 18:27:42 +0200
committer: Douwe Maan <douwe@gitlab.com> 2015-04-10 18:30:49 +0200
commit: 6cf7dd625a7db143c146de1b146cba7dbcbc2576 (patch)
tree: 71155400960473dce634f4a18721c5be1fe8e798
parent: 24d139ba971cf61a4b7a01031c4c57bcba29b172 (diff)
download: gitlab-ce-6cf7dd625a7db143c146de1b146cba7dbcbc2576.tar.gz
2 files changed, 4 insertions, 2 deletions
diff --git a/CHANGELOG b/CHANGELOG
index 0878c03207b..3c119a93d36 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,6 +1,8 @@
 Please view this file on the master branch, on stable branches it's out of date.
 
 v 7.10.0 (unreleased)
+  - Fix persistent XSS vulnerability around profile website URLs.
+  - Fix broken file browsing with a submodule that contains a relative link (Stan Hu)
   - Fix bug where Wiki pages that included a '/' were no longer accessible (Stan Hu)
   - Fix bug where error messages from Dropzone would not be displayed on the issues page (Stan Hu)
   - Add ability to configure Reply-To address in gitlab.yml (Stan Hu)
diff --git a/app/models/user.rb b/app/models/user.rb
index 515f29ea0ba..e2b6757bc4d 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -486,13 +486,13 @@ class User < ActiveRecord::Base
   end
 
   def full_website_url
-    return "http://#{website_url}" if website_url !~ /^https?:\/\//
+    return "http://#{website_url}" if website_url !~ /\Ahttps?:\/\//
 
     website_url
   end
 
   def short_website_url
-    website_url.gsub(/https?:\/\//, '')
+    website_url.sub(/\Ahttps?:\/\//, '')
   end
 
   def all_ssh_keys
author	Douwe Maan <douwe@gitlab.com>	2015-04-10 18:27:42 +0200
committer	Douwe Maan <douwe@gitlab.com>	2015-04-10 18:30:49 +0200
commit	6cf7dd625a7db143c146de1b146cba7dbcbc2576 (patch)
tree	71155400960473dce634f4a18721c5be1fe8e798
parent	24d139ba971cf61a4b7a01031c4c57bcba29b172 (diff)
download	gitlab-ce-6cf7dd625a7db143c146de1b146cba7dbcbc2576.tar.gz