Discource-C
/
discourse
mirror of https://github.com/discourse/discourse.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

FIX: path whitelist for embedded comments didn't work with non-ASCII chars

This commit is contained in:
Gerhard Schlager 2017-12-12 17:56:28 +01:00
parent e30851e45a
commit a7c1b0c81f
2 changed files with 24 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
app/models/embeddable_host.rb
View File

@ -1,3 +1,5 @@
require_dependency 'url_helper'
class EmbeddableHost < ActiveRecord::Base class EmbeddableHost < ActiveRecord::Base
validate :host_must_be_valid validate :host_must_be_valid
belongs_to :category belongs_to :category
@ -10,7 +12,7 @@ class EmbeddableHost < ActiveRecord::Base
def self.record_for_url(uri) def self.record_for_url(uri)
if uri.is_a?(String) if uri.is_a?(String)
uri = URI(URI.encode(uri)) rescue nil uri = URI(UrlHelper.escape_uri(uri)) rescue nil
end end
return false unless uri.present? return false unless uri.present?
@ -25,7 +27,10 @@ class EmbeddableHost < ActiveRecord::Base
path << "?" << uri.query if uri.query.present? path << "?" << uri.query if uri.query.present?
where("lower(host) = ?", host).each do |eh| where("lower(host) = ?", host).each do |eh|
return eh if eh.path_whitelist.blank? || !Regexp.new(eh.path_whitelist).match(path).nil? return eh if eh.path_whitelist.blank?
path_regexp = Regexp.new(eh.path_whitelist)
return eh if path_regexp.match(path) || path_regexp.match(URI.unescape(path))
end end
nil nil
@ -35,7 +40,7 @@ class EmbeddableHost < ActiveRecord::Base
# Work around IFRAME reload on WebKit where the referer will be set to the Forum URL # Work around IFRAME reload on WebKit where the referer will be set to the Forum URL
return true if url&.starts_with?(Discourse.base_url) return true if url&.starts_with?(Discourse.base_url)
uri = URI(URI.encode(url)) rescue nil uri = URI(UrlHelper.escape_uri(url)) rescue nil
uri.present? && record_for_url(uri).present? uri.present? && record_for_url(uri).present?
end end

16
spec/models/embeddable_host_spec.rb
View File

@ -103,6 +103,22 @@ describe EmbeddableHost do
expect(EmbeddableHost.url_allowed?('http://eviltrout.com/rick/smith')).to eq(true) expect(EmbeddableHost.url_allowed?('http://eviltrout.com/rick/smith')).to eq(true)
expect(EmbeddableHost.url_allowed?('http://eviltrout.com/morty/sanchez')).to eq(true) expect(EmbeddableHost.url_allowed?('http://eviltrout.com/morty/sanchez')).to eq(true)
end end
it "works with non-english paths" do
Fabricate(:embeddable_host, path_whitelist: '/انگلیسی/.*')
Fabricate(:embeddable_host, path_whitelist: '/definição/.*')
expect(EmbeddableHost.url_allowed?('http://eviltrout.com/انگلیسی/foo')).to eq(true)
expect(EmbeddableHost.url_allowed?('http://eviltrout.com/definição/foo')).to eq(true)
expect(EmbeddableHost.url_allowed?('http://eviltrout.com/bar/foo')).to eq(false)
end
it "works with URL encoded paths" do
Fabricate(:embeddable_host, path_whitelist: '/definição/.*')
Fabricate(:embeddable_host, path_whitelist: '/ingl%C3%A9s/.*')
expect(EmbeddableHost.url_allowed?('http://eviltrout.com/defini%C3%A7%C3%A3o/foo')).to eq(true)
expect(EmbeddableHost.url_allowed?('http://eviltrout.com/inglés/foo')).to eq(true)
end
end end
end end