FIX: Always allow the host the forum is hosted on

This commit is contained in:
Robin Ward 2017-06-12 13:22:29 -04:00
parent 4324ea024c
commit 5d04cb4b47
2 changed files with 30 additions and 8 deletions

View File

@ -63,6 +63,12 @@ class FinalDestination
return nil return nil
end end
# Always allow current base url
if hostname_matches?(Discourse.base_url_no_prefix)
@status = :resolved
return @uri
end
return nil unless validate_uri return nil unless validate_uri
headers = request_headers headers = request_headers
response = Excon.head( response = Excon.head(
@ -124,18 +130,19 @@ class FinalDestination
(IPAddr.new(@uri.hostname) rescue nil).nil? (IPAddr.new(@uri.hostname) rescue nil).nil?
end end
def hostname_matches?(url)
@uri && url.present? && @uri.hostname == (URI(url) rescue nil)&.hostname
end
def is_dest_valid? def is_dest_valid?
# CDNs are always allowed
return true if SiteSetting.s3_cdn_url.present? &&
@uri.hostname == URI(SiteSetting.s3_cdn_url).hostname
global_cdn = GlobalSetting.try(:cdn_url)
return true if global_cdn.present? &&
@uri.hostname == URI(global_cdn).hostname
return false unless @uri && @uri.host return false unless @uri && @uri.host
# Whitelisted hosts
return true if hostname_matches?(SiteSetting.s3_cdn_url) ||
hostname_matches?(GlobalSetting.try(:cdn_url)) ||
hostname_matches?(Discourse.base_url_no_prefix)
address_s = @opts[:lookup_ip].call(@uri.hostname) address_s = @opts[:lookup_ip].call(@uri.hostname)
return false unless address_s return false unless address_s

View File

@ -240,6 +240,21 @@ describe FinalDestination do
it "returns true for private ipv6" do it "returns true for private ipv6" do
expect(fd("https://[fdd7:b450:d4d1:6b44::1]").is_dest_valid?).to eq(false) expect(fd("https://[fdd7:b450:d4d1:6b44::1]").is_dest_valid?).to eq(false)
end end
it "returns true for the base uri" do
SiteSetting.force_hostname = "final-test.example.com"
expect(fd("https://final-test.example.com/onebox").is_dest_valid?).to eq(true)
end
it "returns true for the S3 CDN url" do
SiteSetting.s3_cdn_url = "https://s3.example.com"
expect(fd("https://s3.example.com/some/thing").is_dest_valid?).to eq(true)
end
it "returns true for the CDN url" do
GlobalSetting.stubs(:cdn_url).returns("https://cdn.example.com/discourse")
expect(fd("https://cdn.example.com/some/asset").is_dest_valid?).to eq(true)
end
end end
end end