Merge branch 'security-stored-xss-for-environments' into 'master'

[master] Stored XSS for Environments Closes #2727 See merge request gitlab/gitlabhq!2594
author: Cindy Pallares <cindy@gitlab.com> 2018-11-28 18:37:12 +0000
committer: Cindy Pallares <cindy@gitlab.com> 2018-11-28 19:07:29 -0500
commit: 4bc6f2e3ac8e6997ebc3b06867049dc38aa6d6e6 (patch)
tree: 8187716680c85065ed8780632408d4ccf897ba50 /lib/gitlab/url_blocker.rb
parent: 1be0174b6aaab1c0cfe86a8b1c91b8ea6fa3db72 (diff)
download: gitlab-ce-4bc6f2e3ac8e6997ebc3b06867049dc38aa6d6e6.tar.gz
1 files changed, 4 insertions, 2 deletions
diff --git a/lib/gitlab/url_blocker.rb b/lib/gitlab/url_blocker.rb
index 86efe8ad114..4b1b58d68d8 100644
--- a/lib/gitlab/url_blocker.rb
+++ b/lib/gitlab/url_blocker.rb
@@ -111,12 +111,14 @@ module Gitlab
       end
 
       def internal_web?(uri)
-        uri.hostname == config.gitlab.host &&
+        uri.scheme == config.gitlab.protocol &&
+          uri.hostname == config.gitlab.host &&
           (uri.port.blank? || uri.port == config.gitlab.port)
       end
 
       def internal_shell?(uri)
-        uri.hostname == config.gitlab_shell.ssh_host &&
+        uri.scheme == 'ssh' &&
+          uri.hostname == config.gitlab_shell.ssh_host &&
           (uri.port.blank? || uri.port == config.gitlab_shell.ssh_port)
       end
author	Cindy Pallares <cindy@gitlab.com>	2018-11-28 18:37:12 +0000
committer	Cindy Pallares <cindy@gitlab.com>	2018-11-28 19:07:29 -0500
commit	4bc6f2e3ac8e6997ebc3b06867049dc38aa6d6e6 (patch)
tree	8187716680c85065ed8780632408d4ccf897ba50 /lib/gitlab/url_blocker.rb
parent	1be0174b6aaab1c0cfe86a8b1c91b8ea6fa3db72 (diff)
download	gitlab-ce-4bc6f2e3ac8e6997ebc3b06867049dc38aa6d6e6.tar.gz