mirror of
https://github.com/discourse/discourse.git
synced 2024-11-23 20:20:43 +08:00
edbc356593
The following methods have long been deprecated in ruby due to flaws in their implementation per http://blade.nagaokaut.ac.jp/cgi-bin/vframe.rb/ruby/ruby-core/29293?29179-31097: URI.escape URI.unescape URI.encode URI.unencode escape/encode are just aliases for one another. This PR uses the Addressable gem to replace these methods with its own encode, unencode, and encode_component methods where appropriate. I have put all references to Addressable::URI here into the UrlHelper to keep them corralled in one place to make changes to this implementation easier. Addressable is now also an explicit gem dependency.
84 lines
2.1 KiB
Ruby
84 lines
2.1 KiB
Ruby
# frozen_string_literal: true
|
|
|
|
class EmbeddableHost < ActiveRecord::Base
|
|
validate :host_must_be_valid
|
|
belongs_to :category
|
|
after_destroy :reset_embedding_settings
|
|
|
|
before_validation do
|
|
self.host.sub!(/^https?:\/\//, '')
|
|
self.host.sub!(/\/.*$/, '')
|
|
end
|
|
|
|
def self.record_for_url(uri)
|
|
|
|
if uri.is_a?(String)
|
|
uri = begin
|
|
URI(UrlHelper.escape_uri(uri))
|
|
rescue URI::Error
|
|
end
|
|
end
|
|
return false unless uri.present?
|
|
|
|
host = uri.host
|
|
return false unless host.present?
|
|
|
|
if uri.port.present? && uri.port != 80 && uri.port != 443
|
|
host << ":#{uri.port}"
|
|
end
|
|
|
|
path = uri.path
|
|
path << "?" << uri.query if uri.query.present?
|
|
|
|
where("lower(host) = ?", host).each do |eh|
|
|
return eh if eh.path_whitelist.blank?
|
|
|
|
path_regexp = Regexp.new(eh.path_whitelist)
|
|
return eh if path_regexp.match(path) || path_regexp.match(UrlHelper.unencode(path))
|
|
end
|
|
|
|
nil
|
|
end
|
|
|
|
def self.url_allowed?(url)
|
|
# Work around IFRAME reload on WebKit where the referer will be set to the Forum URL
|
|
return true if url&.starts_with?(Discourse.base_url) && EmbeddableHost.exists?
|
|
|
|
uri = begin
|
|
URI(UrlHelper.escape_uri(url))
|
|
rescue URI::Error
|
|
end
|
|
|
|
uri.present? && record_for_url(uri).present?
|
|
end
|
|
|
|
private
|
|
|
|
def reset_embedding_settings
|
|
unless EmbeddableHost.exists?
|
|
Embedding.settings.each { |s| SiteSetting.set(s.to_s, SiteSetting.defaults[s]) }
|
|
end
|
|
end
|
|
|
|
def host_must_be_valid
|
|
if host !~ /\A[a-z0-9]+([\-\.]{1}[a-z0-9]+)*\.[a-z]{2,24}(:[0-9]{1,5})?(\/.*)?\Z/i &&
|
|
host !~ /\A(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})(:[0-9]{1,5})?(\/.*)?\Z/ &&
|
|
host !~ /\A([a-z0-9]+([\-\.]{1}[a-z0-9]+)*\.)?localhost(\:[0-9]{1,5})?(\/.*)?\Z/i
|
|
errors.add(:host, I18n.t('errors.messages.invalid'))
|
|
end
|
|
end
|
|
end
|
|
|
|
# == Schema Information
|
|
#
|
|
# Table name: embeddable_hosts
|
|
#
|
|
# id :integer not null, primary key
|
|
# host :string not null
|
|
# category_id :integer not null
|
|
# created_at :datetime not null
|
|
# updated_at :datetime not null
|
|
# path_whitelist :string
|
|
# class_name :string
|
|
#
|