Commit a2a21c5e authored by Stan Hu's avatar Stan Hu

Escape username and password in UrlSanitizer#full_url

If a user uses a password with certain characters (e.g. /, #, +, etc.)
UrlSanitizer#full_url will generate an invalid URL that cannot be
parsed properly by Addressable::URI. If used with UrlBlocker, this
will be flagged as an invalid URI.
parent 14285d35
---
title: Escape username and password in UrlSanitizer#full_url
merge_request: 20684
author:
type: fixed
......@@ -71,12 +71,10 @@ module Gitlab
def generate_full_url
return @url unless valid_credentials?
generated = @url.dup
@url.dup.tap do |generated|
generated.password = encode_percent(credentials[:password]) if credentials[:password].present?
generated.user = encode_percent(credentials[:user]) if credentials[:user].present?
generated
end
end
def safe_url
......
......@@ -147,6 +147,8 @@ describe Gitlab::UrlSanitizer do
'http://foo:bar@example.com' | :same
'http://foo:g p@example.com' | 'http://foo:g%20p@example.com'
'http://foo:s/h@example.com' | 'http://foo:s%2Fh@example.com'
'http://t u:a#b@example.com' | 'http://t%20u:a%23b@example.com'
'http://t+u:a#b@example.com' | 'http://t%2Bu:a%23b@example.com'
end
with_them do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment