Revert "Revert "Merge branch 'master' of https://github.com/discourse/discourse""

This reverts commit 20780a1eeed56b321daf18ee6bbfe681a51d1bf4.

* SECURITY: re-adds accidentally reverted commit:
  03d26cd6: ensure embed_url contains valid http(s) uri
* when the merge commit e62a85cf was reverted, git chose the 2660c2e2 parent to land on
  instead of the 03d26cd6 parent (which contains security fixes)
This commit is contained in:
Michael Brown
2020-05-23 00:56:13 -04:00
parent 20780a1eee
commit d9a02d1336
236 changed files with 1031 additions and 715 deletions

View File

@ -79,12 +79,35 @@ module FileStore
def has_been_uploaded?(url)
return false if url.blank?
begin
parsed_url = URI.parse(URI.encode(url))
rescue URI::InvalidURIError
return false
end
base_hostname = URI.parse(absolute_base_url).hostname
return true if url[base_hostname]
if url[base_hostname]
# if the hostnames match it means the upload is in the same
# bucket on s3. however, the bucket folder path may differ in
# some cases, and we do not want to assume the url is uploaded
# here. e.g. the path of the current site could be /prod and the
# other site could be /staging
if s3_bucket_folder_path.present?
return parsed_url.path.starts_with?("/#{s3_bucket_folder_path}")
else
return true
end
return false
end
return false if SiteSetting.Upload.s3_cdn_url.blank?
cdn_hostname = URI.parse(SiteSetting.Upload.s3_cdn_url || "").hostname
cdn_hostname.presence && url[cdn_hostname]
return true if cdn_hostname.presence && url[cdn_hostname]
false
end
def s3_bucket_folder_path
@s3_helper.s3_bucket_folder_path
end
def s3_bucket_name