Merge branch 'security-10-1' into '10-1-stable'

Security fixes for 10.1 RC See merge request gitlab/gitlabhq!2209
author: Jen-Shin Lin <jen-shin@gitlab.com> 2017-10-17 10:12:24 +0000
committer: Stan Hu <stanhu@gmail.com> 2017-10-17 15:58:58 -0700
commit: bd46c8abfd5ee964c47eff0ace021e45cbbe6687 (patch)
tree: e22dc885b8d70829cf3893cc65c49f6351bc2d34 /lib
parent: 9978ef9884023df12b3fbc5758cf93d166100c80 (diff)
download: gitlab-ce-bd46c8abfd5ee964c47eff0ace021e45cbbe6687.tar.gz
1 files changed, 12 insertions, 2 deletions
diff --git a/lib/banzai/filter/sanitization_filter.rb b/lib/banzai/filter/sanitization_filter.rb
index d8c8deea628..6786b9d07b6 100644
--- a/lib/banzai/filter/sanitization_filter.rb
+++ b/lib/banzai/filter/sanitization_filter.rb
@@ -75,9 +75,19 @@ module Banzai
             begin
               node['href'] = node['href'].strip
               uri = Addressable::URI.parse(node['href'])
-              uri.scheme = uri.scheme.downcase if uri.scheme
 
-              node.remove_attribute('href') if UNSAFE_PROTOCOLS.include?(uri.scheme)
+              return unless uri.scheme
+
+              # Remove all invalid scheme characters before checking against the
+              # list of unsafe protocols.
+              #
+              # See https://tools.ietf.org/html/rfc3986#section-3.1
+              scheme = uri.scheme
+                .strip
+                .downcase
+                .gsub(/[^A-Za-z0-9\+\.\-]+/, '')
+
+              node.remove_attribute('href') if UNSAFE_PROTOCOLS.include?(scheme)
             rescue Addressable::URI::InvalidURIError
               node.remove_attribute('href')
             end
author	Jen-Shin Lin <jen-shin@gitlab.com>	2017-10-17 10:12:24 +0000
committer	Stan Hu <stanhu@gmail.com>	2017-10-17 15:58:58 -0700
commit	bd46c8abfd5ee964c47eff0ace021e45cbbe6687 (patch)
tree	e22dc885b8d70829cf3893cc65c49f6351bc2d34 /lib
parent	9978ef9884023df12b3fbc5758cf93d166100c80 (diff)
download	gitlab-ce-bd46c8abfd5ee964c47eff0ace021e45cbbe6687.tar.gz