SECURITY: prevent use of X-Forwarded-Host to perform XSS

2018-08-13 16:44:35 -04:00 · 2018-08-13 16:44:35 -04:00 · 71b65be6f6
parent 7f4ef3db9e
commit 71b65be6f6
2 changed files with 2 additions and 4 deletions
--- a/app/views/common/_special_font_face.html.erb
+++ b/app/views/common/_special_font_face.html.erb
@ -8,7 +8,7 @@
  &1 was added last when the nginx sample config changed
 %>

-<% font_domain = "#{request.protocol}#{request.host_with_port}&2" %>
+<% font_domain = "#{Discourse.base_url_no_prefix}&2".html_safe %>
 <% woff2_url = "#{asset_path("fontawesome-webfont.woff2")}?#{font_domain}&v=4.7.0".html_safe %>

 <link rel="preload" href="<%=woff2_url%>" as="font" type="font/woff2" crossorigin />
--- a/app/views/exceptions/not_found.html.erb
+++ b/app/views/exceptions/not_found.html.erb
@ -26,15 +26,13 @@
 <% end %>

 <%- unless @hide_google %>
-  <% local_domain = "#{request.protocol}#{request.host_with_port}" %>
-
  <div class="row">
    <div class="page-not-found-search">
      <h2><%= t 'page_not_found.search_title' %></h2>
      <p>
        <form action='//google.com/search' id='google-search'>
          <input type="text" name="q" value="<%= @slug %>">
-          <input type='hidden' name="as_sitesearch" value="<%= local_domain %>">
+          <input type='hidden' name="as_sitesearch" value="<%= Discourse.base_url %>">
          <button class="btn btn-primary"><%= t 'page_not_found.search_google' %></button>
        </form>
      </p>