From cd20d0fdfd3b9be963810634a334cd3a1df6d9dd Mon Sep 17 00:00:00 2001 From: Robin Ward Date: Sun, 29 Sep 2019 20:51:59 -0400 Subject: [PATCH] SECURITY: Don't allow base_uri as embeddable host if none exist --- app/models/embeddable_host.rb | 2 +- spec/models/embeddable_host_spec.rb | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/app/models/embeddable_host.rb b/app/models/embeddable_host.rb index 545eeba5f20..1dcbffca61f 100644 --- a/app/models/embeddable_host.rb +++ b/app/models/embeddable_host.rb @@ -44,7 +44,7 @@ class EmbeddableHost < ActiveRecord::Base def self.url_allowed?(url) # Work around IFRAME reload on WebKit where the referer will be set to the Forum URL - return true if url&.starts_with?(Discourse.base_url) + return true if url&.starts_with?(Discourse.base_url) && EmbeddableHost.exists? uri = begin URI(UrlHelper.escape_uri(url)) diff --git a/spec/models/embeddable_host_spec.rb b/spec/models/embeddable_host_spec.rb index bdcc060be32..d55e112e601 100644 --- a/spec/models/embeddable_host_spec.rb +++ b/spec/models/embeddable_host_spec.rb @@ -65,6 +65,10 @@ describe EmbeddableHost do end end + it "doesn't allow forum own URL if no hosts exist" do + expect(EmbeddableHost.url_allowed?(Discourse.base_url)).to eq(false) + end + describe "url_allowed?" do fab!(:host) { Fabricate(:embeddable_host) }