Fix persistent XSS vulnerability around profile website URLs.

6cf7dd62 · Douwe Maan · 24d139ba · 6cf7dd62 · 6cf7dd62
Commit 6cf7dd62 authored Apr 10, 2015 by Douwe Maan
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 2 deletions

CHANGELOG CHANGELOG +2 -0

app/models/user.rb app/models/user.rb +2 -2

No files found.
--- a/CHANGELOG
+++ b/CHANGELOG
 Please view this file on the master branch, on stable branches it's out of date.

 v 7.10.0 (unreleased)
+  - Fix persistent XSS vulnerability around profile website URLs.
+  - Fix broken file browsing with a submodule that contains a relative link (Stan Hu)
  - Fix bug where Wiki pages that included a '/' were no longer accessible (Stan Hu)
  - Fix bug where error messages from Dropzone would not be displayed on the issues page (Stan Hu)
  - Add ability to configure Reply-To address in gitlab.yml (Stan Hu)

--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -486,13 +486,13 @@ class User < ActiveRecord::Base
  end

  def full_website_url
-    return "http://#{website_url}" if website_url !~ /^https?:\/\//
+    return "http://#{website_url}" if website_url !~ /\Ahttps?:\/\//

    website_url
  end

  def short_website_url
-    website_url.gsub(/https?:\/\//, '')
+    website_url.sub(/\Ahttps?:\/\//, '')
  end

  def all_ssh_keys