mirror of
https://github.com/discourse/discourse.git
synced 2024-11-25 02:11:08 -06:00
SECURITY: Don't allow base_uri as embeddable host if none exist
This commit is contained in:
parent
756104432e
commit
d5c5ca46b6
@ -44,7 +44,7 @@ class EmbeddableHost < ActiveRecord::Base
|
||||
|
||||
def self.url_allowed?(url)
|
||||
# Work around IFRAME reload on WebKit where the referer will be set to the Forum URL
|
||||
return true if url&.starts_with?(Discourse.base_url)
|
||||
return true if url&.starts_with?(Discourse.base_url) && EmbeddableHost.exists?
|
||||
|
||||
uri = begin
|
||||
URI(UrlHelper.escape_uri(url))
|
||||
|
@ -65,6 +65,10 @@ describe EmbeddableHost do
|
||||
end
|
||||
end
|
||||
|
||||
it "doesn't allow forum own URL if no hosts exist" do
|
||||
expect(EmbeddableHost.url_allowed?(Discourse.base_url)).to eq(false)
|
||||
end
|
||||
|
||||
describe "url_allowed?" do
|
||||
fab!(:host) { Fabricate(:embeddable_host) }
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user