Merge branch 'regex-start-of-string' into 'master'
Fix persistent XSS vulnerability around profile website URLs. Fixes gitlab/gitlab-ee#268 See merge request !1761
This commit is contained in:
commit
f244914402
|
@ -2,6 +2,7 @@ Please view this file on the master branch, on stable branches it's out of date.
|
|||
|
||||
v 7.10.0 (unreleased)
|
||||
- Fix broken file browsing with a submodule that contains a relative link (Stan Hu)
|
||||
- Fix persistent XSS vulnerability around profile website URLs.
|
||||
- Fix bug where Wiki pages that included a '/' were no longer accessible (Stan Hu)
|
||||
- Fix bug where error messages from Dropzone would not be displayed on the issues page (Stan Hu)
|
||||
- Add ability to configure Reply-To address in gitlab.yml (Stan Hu)
|
||||
|
|
|
@ -153,7 +153,7 @@ class ApplicationController < ActionController::Base
|
|||
end
|
||||
|
||||
def method_missing(method_sym, *arguments, &block)
|
||||
if method_sym.to_s =~ /^authorize_(.*)!$/
|
||||
if method_sym.to_s =~ /\Aauthorize_(.*)!\z/
|
||||
authorize_project!($1.to_sym)
|
||||
else
|
||||
super
|
||||
|
|
|
@ -125,7 +125,7 @@ module ApplicationHelper
|
|||
|
||||
# If reference is commit id - we should add it to branch/tag selectbox
|
||||
if(@ref && !options.flatten.include?(@ref) &&
|
||||
@ref =~ /^[0-9a-zA-Z]{6,52}$/)
|
||||
@ref =~ /\A[0-9a-zA-Z]{6,52}\z/)
|
||||
options << ['Commit', [@ref]]
|
||||
end
|
||||
|
||||
|
|
|
@ -13,7 +13,7 @@ module GitlabMarkdownHelper
|
|||
def link_to_gfm(body, url, html_options = {})
|
||||
return "" if body.blank?
|
||||
|
||||
escaped_body = if body =~ /^\<img/
|
||||
escaped_body = if body =~ /\A\<img/
|
||||
body
|
||||
else
|
||||
escape_once(body)
|
||||
|
@ -139,7 +139,7 @@ module GitlabMarkdownHelper
|
|||
@project.path_with_namespace,
|
||||
path_with_ref(file_path),
|
||||
file_path
|
||||
].compact.join("/").gsub(/^\/*|\/*$/, '') + id
|
||||
].compact.join("/").gsub(/\A\/*|\/*\z/, '') + id
|
||||
end
|
||||
|
||||
def sanitize_slashes(path)
|
||||
|
|
|
@ -44,7 +44,7 @@ module SubmoduleHelper
|
|||
|
||||
def relative_self_url?(url)
|
||||
# (./)?(../repo.git) || (./)?(../../project/repo.git) )
|
||||
url =~ /^((\.\/)?(\.\.\/))(?!(\.\.)|(.*\/)).*\.git\Z/ || url =~ /^((\.\/)?(\.\.\/){2})(?!(\.\.))([^\/]*)\/(?!(\.\.)|(.*\/)).*\.git\Z/
|
||||
url =~ /\A((\.\/)?(\.\.\/))(?!(\.\.)|(.*\/)).*\.git\z/ || url =~ /\A((\.\/)?(\.\.\/){2})(?!(\.\.))([^\/]*)\/(?!(\.\.)|(.*\/)).*\.git\z/
|
||||
end
|
||||
|
||||
def standard_links(host, namespace, project, commit)
|
||||
|
|
|
@ -148,7 +148,7 @@ class IrkerService < Service
|
|||
|
||||
def consider_uri(uri)
|
||||
# Authorize both irc://domain.com/#chan and irc://domain.com/chan
|
||||
if uri.is_a?(URI) && uri.scheme[/^ircs?$/] && !uri.path.nil?
|
||||
if uri.is_a?(URI) && uri.scheme[/^ircs?\z/] && !uri.path.nil?
|
||||
# Do not authorize irc://domain.com/
|
||||
if uri.fragment.nil? && uri.path.length > 1
|
||||
uri.to_s
|
||||
|
|
|
@ -199,7 +199,7 @@ class Repository
|
|||
def changelog
|
||||
cache.fetch(:changelog) do
|
||||
tree(:head).blobs.find do |file|
|
||||
file.name =~ /^(changelog|history)/i
|
||||
file.name =~ /\A(changelog|history)/i
|
||||
end
|
||||
end
|
||||
end
|
||||
|
@ -207,7 +207,7 @@ class Repository
|
|||
def license
|
||||
cache.fetch(:license) do
|
||||
tree(:head).blobs.find do |file|
|
||||
file.name =~ /^license/i
|
||||
file.name =~ /\Alicense/i
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -486,13 +486,13 @@ class User < ActiveRecord::Base
|
|||
end
|
||||
|
||||
def full_website_url
|
||||
return "http://#{website_url}" if website_url !~ /^https?:\/\//
|
||||
return "http://#{website_url}" if website_url !~ /\Ahttps?:\/\//
|
||||
|
||||
website_url
|
||||
end
|
||||
|
||||
def short_website_url
|
||||
website_url.gsub(/https?:\/\//, '')
|
||||
website_url.sub(/\Ahttps?:\/\//, '')
|
||||
end
|
||||
|
||||
def all_ssh_keys
|
||||
|
|
|
@ -13,9 +13,7 @@ class CreateTagService < BaseService
|
|||
return error('Tag already exists')
|
||||
end
|
||||
|
||||
if message
|
||||
message.gsub!(/^\s+|\s+$/, '')
|
||||
end
|
||||
message.strip! if message
|
||||
|
||||
repository.add_tag(tag_name, ref, message)
|
||||
new_tag = repository.find_tag(tag_name)
|
||||
|
|
|
@ -11,8 +11,8 @@ class PostReceive
|
|||
log("Check gitlab.yml config for correct gitlab_shell.repos_path variable. \"#{Gitlab.config.gitlab_shell.repos_path}\" does not match \"#{repo_path}\"")
|
||||
end
|
||||
|
||||
repo_path.gsub!(/\.git$/, "")
|
||||
repo_path.gsub!(/^\//, "")
|
||||
repo_path.gsub!(/\.git\z/, "")
|
||||
repo_path.gsub!(/\A\//, "")
|
||||
|
||||
project = Project.find_with_namespace(repo_path)
|
||||
|
||||
|
|
|
@ -208,7 +208,7 @@ Devise.setup do |config|
|
|||
if Gitlab::LDAP::Config.enabled?
|
||||
Gitlab.config.ldap.servers.values.each do |server|
|
||||
if server['allow_username_or_email_login']
|
||||
email_stripping_proc = ->(name) {name.gsub(/@.*$/,'')}
|
||||
email_stripping_proc = ->(name) {name.gsub(/@.*\z/,'')}
|
||||
else
|
||||
email_stripping_proc = ->(name) {name}
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue