From 5d04cb4b47bb1d77ea467570b341eaada19520f1 Mon Sep 17 00:00:00 2001
From: Robin Ward <robin.ward@gmail.com>
Date: Mon, 12 Jun 2017 13:22:29 -0400
Subject: [PATCH] FIX: Always allow the host the forum is hosted on

---
 lib/final_destination.rb                  | 23 +++++++++++++++--------
 spec/components/final_destination_spec.rb | 15 +++++++++++++++
 2 files changed, 30 insertions(+), 8 deletions(-)

diff --git a/lib/final_destination.rb b/lib/final_destination.rb
index 6fb96b49e55..ce8d76eafd0 100644
--- a/lib/final_destination.rb
+++ b/lib/final_destination.rb
@@ -63,6 +63,12 @@ class FinalDestination
       return nil
     end
 
+    # Always allow current base url
+    if hostname_matches?(Discourse.base_url_no_prefix)
+      @status = :resolved
+      return @uri
+    end
+
     return nil unless validate_uri
     headers = request_headers
     response = Excon.head(
@@ -124,18 +130,19 @@ class FinalDestination
     (IPAddr.new(@uri.hostname) rescue nil).nil?
   end
 
+  def hostname_matches?(url)
+    @uri && url.present? && @uri.hostname == (URI(url) rescue nil)&.hostname
+  end
+
   def is_dest_valid?
 
-    # CDNs are always allowed
-    return true if SiteSetting.s3_cdn_url.present? &&
-      @uri.hostname == URI(SiteSetting.s3_cdn_url).hostname
-
-    global_cdn = GlobalSetting.try(:cdn_url)
-    return true if global_cdn.present? &&
-      @uri.hostname == URI(global_cdn).hostname
-
     return false unless @uri && @uri.host
 
+    # Whitelisted hosts
+    return true if hostname_matches?(SiteSetting.s3_cdn_url) ||
+      hostname_matches?(GlobalSetting.try(:cdn_url)) ||
+      hostname_matches?(Discourse.base_url_no_prefix)
+
     address_s = @opts[:lookup_ip].call(@uri.hostname)
     return false unless address_s
 
diff --git a/spec/components/final_destination_spec.rb b/spec/components/final_destination_spec.rb
index b3b263c8262..9266aea451e 100644
--- a/spec/components/final_destination_spec.rb
+++ b/spec/components/final_destination_spec.rb
@@ -240,6 +240,21 @@ describe FinalDestination do
     it "returns true for private ipv6" do
       expect(fd("https://[fdd7:b450:d4d1:6b44::1]").is_dest_valid?).to eq(false)
     end
+
+    it "returns true for the base uri" do
+      SiteSetting.force_hostname = "final-test.example.com"
+      expect(fd("https://final-test.example.com/onebox").is_dest_valid?).to eq(true)
+    end
+
+    it "returns true for the S3 CDN url" do
+      SiteSetting.s3_cdn_url = "https://s3.example.com"
+      expect(fd("https://s3.example.com/some/thing").is_dest_valid?).to eq(true)
+    end
+
+    it "returns true for the CDN url" do
+      GlobalSetting.stubs(:cdn_url).returns("https://cdn.example.com/discourse")
+      expect(fd("https://cdn.example.com/some/asset").is_dest_valid?).to eq(true)
+    end
   end
 
 end