github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-26 12:05:25 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

SECURITY: Remove bypass for base_url (#19995)

Browse Source 
The check used to be necessary because we validated the referrer too and
this bypass was a workaround a bug that is present in some browsers that
do not send the correct referrer.
This commit is contained in:
Bianca Nenciu
2023-01-25 13:50:45 +02:00
committed by GitHub
parent d5745d34c2
commit cd7c8861ae
2 changed files with 2 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
app/models/embeddable_host.rb
View File

@ -45,9 +45,6 @@ class EmbeddableHost < ActiveRecord::Base
def self.url_allowed?(url) def self.url_allowed?(url)
return false if url.nil? return false if url.nil?
# Work around IFRAME reload on WebKit where the referer will be set to the Forum URL
return true if url&.starts_with?(Discourse.base_url) && EmbeddableHost.exists?
uri = uri =
begin begin
URI(UrlHelper.normalized_encode(url)) URI(UrlHelper.normalized_encode(url))

4
spec/models/embeddable_host_spec.rb
View File

@ -88,8 +88,8 @@ RSpec.describe EmbeddableHost do
expect(EmbeddableHost.url_allowed?("http://discourse.org")).to eq(true) expect(EmbeddableHost.url_allowed?("http://discourse.org")).to eq(true)
end end
it "always allow forum own URL" do it "does not allow forum own URL" do
expect(EmbeddableHost.url_allowed?(Discourse.base_url)).to eq(true) expect(EmbeddableHost.url_allowed?(Discourse.base_url)).to eq(false)
end end
end end