Commit dc6b679b authored by Robert Speicher's avatar Robert Speicher Committed by Robert Speicher

Merge branch 'fix-arbitrary-redirect-vulnerability' into 'security-10-0'

Fix arbitrary redirect location vulnerability

See merge request gitlab/gitlabhq!2192
parent 65d6dcdb
...@@ -2,7 +2,6 @@ class Projects::ApplicationController < ApplicationController ...@@ -2,7 +2,6 @@ class Projects::ApplicationController < ApplicationController
include RoutableActions include RoutableActions
skip_before_action :authenticate_user! skip_before_action :authenticate_user!
before_action :redirect_git_extension
before_action :project before_action :project
before_action :repository before_action :repository
layout 'project' layout 'project'
...@@ -11,15 +10,6 @@ class Projects::ApplicationController < ApplicationController ...@@ -11,15 +10,6 @@ class Projects::ApplicationController < ApplicationController
private private
def redirect_git_extension
# Redirect from
# localhost/group/project.git
# to
# localhost/group/project
#
redirect_to url_for(params.merge(format: nil)) if params[:format] == 'git'
end
def project def project
return @project if @project return @project if @project
return nil unless params[:project_id] || params[:id] return nil unless params[:project_id] || params[:id]
......
...@@ -3,6 +3,7 @@ class ProjectsController < Projects::ApplicationController ...@@ -3,6 +3,7 @@ class ProjectsController < Projects::ApplicationController
include ExtractsPath include ExtractsPath
before_action :authenticate_user!, except: [:index, :show, :activity, :refs] before_action :authenticate_user!, except: [:index, :show, :activity, :refs]
before_action :redirect_git_extension, only: [:show]
before_action :project, except: [:index, :new, :create] before_action :project, except: [:index, :new, :create]
before_action :repository, except: [:index, :new, :create] before_action :repository, except: [:index, :new, :create]
before_action :assign_ref_vars, only: [:show], if: :repo_exists? before_action :assign_ref_vars, only: [:show], if: :repo_exists?
...@@ -390,4 +391,13 @@ class ProjectsController < Projects::ApplicationController ...@@ -390,4 +391,13 @@ class ProjectsController < Projects::ApplicationController
url_for(params) url_for(params)
end end
def redirect_git_extension
# Redirect from
# localhost/group/project.git
# to
# localhost/group/project
#
redirect_to request.original_url.sub(/\.git\/?\Z/, '') if params[:format] == 'git'
end
end end
---
title: Prevent an open redirect on project pages
merge_request:
author:
type: security
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment