Discourse/discourse
Discourse/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-09-07 12:02:53 +08:00
Code Packages Activity Actions 5

SECURITY: Never crawl by IP

Browse source
This commit is contained in:
Robin Ward 2017-05-23 13:07:18 -04:00
parent 93a5fc62bf
commit e5e7a15a85
2 changed files with 9 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

11
lib/final_destination.rb
View file

@ -68,14 +68,11 @@ class FinalDestination
def validate_uri_format def validate_uri_format
return false unless @uri return false unless @uri
return false unless ['https', 'http'].include?(@uri.scheme) return false unless ['https', 'http'].include?(@uri.scheme)
return false if @uri.scheme == 'http' && @uri.port != 80
return false if @uri.scheme == 'https' && @uri.port != 443
if @uri.scheme == 'http' # Disallow IP based crawling
return @uri.port == 80 (IPAddr.new(@uri.hostname) rescue nil).nil?
elsif @uri.scheme == 'https'
return @uri.port == 443
end
false
end end
def is_public? def is_public?

5
spec/components/final_destination_spec.rb
View file

@ -123,6 +123,11 @@ describe FinalDestination do
expect(fd('ftp://eviltrout.com').validate_uri_format).to eq(false) expect(fd('ftp://eviltrout.com').validate_uri_format).to eq(false)
end end
it "doesn't support IP urls" do
expect(fd('http://104.25.152.10').validate_uri_format).to eq(false)
expect(fd('https://[2001:abc:de:01:0:3f0:6a65:c2bf]').validate_uri_format).to eq(false)
end
it "returns false for schemeless URL" do it "returns false for schemeless URL" do
expect(fd('eviltrout.com').validate_uri_format).to eq(false) expect(fd('eviltrout.com').validate_uri_format).to eq(false)
end end