Commit a2a21c5e authored by Stan Hu's avatar Stan Hu

Escape username and password in UrlSanitizer#full_url

If a user uses a password with certain characters (e.g. /, #, +, etc.)
UrlSanitizer#full_url will generate an invalid URL that cannot be
parsed properly by Addressable::URI. If used with UrlBlocker, this
will be flagged as an invalid URI.
parent 14285d35
---
title: Escape username and password in UrlSanitizer#full_url
merge_request: 20684
author:
type: fixed
...@@ -71,12 +71,10 @@ module Gitlab ...@@ -71,12 +71,10 @@ module Gitlab
def generate_full_url def generate_full_url
return @url unless valid_credentials? return @url unless valid_credentials?
generated = @url.dup @url.dup.tap do |generated|
generated.password = encode_percent(credentials[:password]) if credentials[:password].present?
generated.password = encode_percent(credentials[:password]) if credentials[:password].present? generated.user = encode_percent(credentials[:user]) if credentials[:user].present?
generated.user = encode_percent(credentials[:user]) if credentials[:user].present? end
generated
end end
def safe_url def safe_url
......
...@@ -147,6 +147,8 @@ describe Gitlab::UrlSanitizer do ...@@ -147,6 +147,8 @@ describe Gitlab::UrlSanitizer do
'http://foo:bar@example.com' | :same 'http://foo:bar@example.com' | :same
'http://foo:g p@example.com' | 'http://foo:g%20p@example.com' 'http://foo:g p@example.com' | 'http://foo:g%20p@example.com'
'http://foo:s/h@example.com' | 'http://foo:s%2Fh@example.com' 'http://foo:s/h@example.com' | 'http://foo:s%2Fh@example.com'
'http://t u:a#b@example.com' | 'http://t%20u:a%23b@example.com'
'http://t+u:a#b@example.com' | 'http://t%2Bu:a%23b@example.com'
end end
with_them do with_them do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment