diff options
author | Robert Speicher <robert@gitlab.com> | 2017-10-18 11:08:04 +0000 |
---|---|---|
committer | Robert Speicher <robert@gitlab.com> | 2017-10-18 11:08:04 +0000 |
commit | 11dfe0489b1bbe7f0e43eaa72fcdf7140efcbc2f (patch) | |
tree | 5a73f56006c6b3974675a3be88ef77a7a1fddf3c /lib/banzai/filter/sanitization_filter.rb | |
parent | cddc504740eea1e017c1ce23b84c6b19044020f4 (diff) | |
parent | ff04e38eb41eb781b4de0346a9230884bb36eff9 (diff) | |
download | gitlab-ce-11dfe0489b1bbe7f0e43eaa72fcdf7140efcbc2f.tar.gz |
Merge branch 'sh-security-fix-backports-master' into 'master'
Backport all fixes from GitLab 10.1 into master
See merge request gitlab-org/gitlab-ce!14922
Diffstat (limited to 'lib/banzai/filter/sanitization_filter.rb')
-rw-r--r-- | lib/banzai/filter/sanitization_filter.rb | 14 |
1 files changed, 12 insertions, 2 deletions
diff --git a/lib/banzai/filter/sanitization_filter.rb b/lib/banzai/filter/sanitization_filter.rb index d8c8deea628..6786b9d07b6 100644 --- a/lib/banzai/filter/sanitization_filter.rb +++ b/lib/banzai/filter/sanitization_filter.rb @@ -75,9 +75,19 @@ module Banzai begin node['href'] = node['href'].strip uri = Addressable::URI.parse(node['href']) - uri.scheme = uri.scheme.downcase if uri.scheme - node.remove_attribute('href') if UNSAFE_PROTOCOLS.include?(uri.scheme) + return unless uri.scheme + + # Remove all invalid scheme characters before checking against the + # list of unsafe protocols. + # + # See https://tools.ietf.org/html/rfc3986#section-3.1 + scheme = uri.scheme + .strip + .downcase + .gsub(/[^A-Za-z0-9\+\.\-]+/, '') + + node.remove_attribute('href') if UNSAFE_PROTOCOLS.include?(scheme) rescue Addressable::URI::InvalidURIError node.remove_attribute('href') end |