summaryrefslogtreecommitdiff
path: root/config
diff options
context:
space:
mode:
authorCindy Pallares <cindy@gitlab.com>2018-11-28 22:53:48 +0000
committerCindy Pallares <cindy@gitlab.com>2018-11-28 19:14:15 -0500
commit5736d6606ad7c6d729baa6c4ef789a47ada4ceda (patch)
tree1ae542a04e8782f61a592e3bceeacc087639a1e5 /config
parentc0e5d9afee57745a79c072b0f57fdcbe164312da (diff)
downloadgitlab-ce-5736d6606ad7c6d729baa6c4ef789a47ada4ceda.tar.gz
Merge branch 'security-fix-uri-xss-applications' into 'master'
[master] Resolve "Reflected XSS in OAuth Authorize window due to redirect_uri allowing arbitrary protocols" See merge request gitlab/gitlabhq!2572
Diffstat (limited to 'config')
-rw-r--r--config/initializers/doorkeeper.rb7
1 files changed, 7 insertions, 0 deletions
diff --git a/config/initializers/doorkeeper.rb b/config/initializers/doorkeeper.rb
index f321b4ea763..6be5c00daaa 100644
--- a/config/initializers/doorkeeper.rb
+++ b/config/initializers/doorkeeper.rb
@@ -48,6 +48,13 @@ Doorkeeper.configure do
#
force_ssl_in_redirect_uri false
+ # Specify what redirect URI's you want to block during Application creation.
+ # Any redirect URI is whitelisted by default.
+ #
+ # You can use this option in order to forbid URI's with 'javascript' scheme
+ # for example.
+ forbid_redirect_uri { |uri| %w[data vbscript javascript].include?(uri.scheme.to_s.downcase) }
+
# Provide support for an owner to be assigned to each registered application (disabled by default)
# Optional parameter confirmation: true (default false) if you want to enforce ownership of
# a registered application