mirror of
https://github.com/discourse/discourse.git
synced 2024-12-15 16:33:45 +08:00
FIX: Always allow the host the forum is hosted on
This commit is contained in:
parent
4324ea024c
commit
5d04cb4b47
|
@ -63,6 +63,12 @@ class FinalDestination
|
||||||
return nil
|
return nil
|
||||||
end
|
end
|
||||||
|
|
||||||
|
# Always allow current base url
|
||||||
|
if hostname_matches?(Discourse.base_url_no_prefix)
|
||||||
|
@status = :resolved
|
||||||
|
return @uri
|
||||||
|
end
|
||||||
|
|
||||||
return nil unless validate_uri
|
return nil unless validate_uri
|
||||||
headers = request_headers
|
headers = request_headers
|
||||||
response = Excon.head(
|
response = Excon.head(
|
||||||
|
@ -124,18 +130,19 @@ class FinalDestination
|
||||||
(IPAddr.new(@uri.hostname) rescue nil).nil?
|
(IPAddr.new(@uri.hostname) rescue nil).nil?
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def hostname_matches?(url)
|
||||||
|
@uri && url.present? && @uri.hostname == (URI(url) rescue nil)&.hostname
|
||||||
|
end
|
||||||
|
|
||||||
def is_dest_valid?
|
def is_dest_valid?
|
||||||
|
|
||||||
# CDNs are always allowed
|
|
||||||
return true if SiteSetting.s3_cdn_url.present? &&
|
|
||||||
@uri.hostname == URI(SiteSetting.s3_cdn_url).hostname
|
|
||||||
|
|
||||||
global_cdn = GlobalSetting.try(:cdn_url)
|
|
||||||
return true if global_cdn.present? &&
|
|
||||||
@uri.hostname == URI(global_cdn).hostname
|
|
||||||
|
|
||||||
return false unless @uri && @uri.host
|
return false unless @uri && @uri.host
|
||||||
|
|
||||||
|
# Whitelisted hosts
|
||||||
|
return true if hostname_matches?(SiteSetting.s3_cdn_url) ||
|
||||||
|
hostname_matches?(GlobalSetting.try(:cdn_url)) ||
|
||||||
|
hostname_matches?(Discourse.base_url_no_prefix)
|
||||||
|
|
||||||
address_s = @opts[:lookup_ip].call(@uri.hostname)
|
address_s = @opts[:lookup_ip].call(@uri.hostname)
|
||||||
return false unless address_s
|
return false unless address_s
|
||||||
|
|
||||||
|
|
|
@ -240,6 +240,21 @@ describe FinalDestination do
|
||||||
it "returns true for private ipv6" do
|
it "returns true for private ipv6" do
|
||||||
expect(fd("https://[fdd7:b450:d4d1:6b44::1]").is_dest_valid?).to eq(false)
|
expect(fd("https://[fdd7:b450:d4d1:6b44::1]").is_dest_valid?).to eq(false)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
it "returns true for the base uri" do
|
||||||
|
SiteSetting.force_hostname = "final-test.example.com"
|
||||||
|
expect(fd("https://final-test.example.com/onebox").is_dest_valid?).to eq(true)
|
||||||
|
end
|
||||||
|
|
||||||
|
it "returns true for the S3 CDN url" do
|
||||||
|
SiteSetting.s3_cdn_url = "https://s3.example.com"
|
||||||
|
expect(fd("https://s3.example.com/some/thing").is_dest_valid?).to eq(true)
|
||||||
|
end
|
||||||
|
|
||||||
|
it "returns true for the CDN url" do
|
||||||
|
GlobalSetting.stubs(:cdn_url).returns("https://cdn.example.com/discourse")
|
||||||
|
expect(fd("https://cdn.example.com/some/asset").is_dest_valid?).to eq(true)
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
Loading…
Reference in New Issue
Block a user