Don't allow URLs that contain non-normalized paths to be verified (#20999)

* Don't allow URLs that contain non-normalized paths to be verified This stops things like https://example.com/otheruser/../realuser where "/otheruser" appears to be the verified URL, but the actual URL being verified is "/realuser" due to the "/../". Also fix a test to use 'https', so it is testing the right thing, now that since #20304 https is required. * missing do
author: David Leadbeater <dgl@dgl.cx> 2022-11-21 05:28:13 +1100
committer: GitHub <noreply@github.com> 2022-11-20 19:28:13 +0100
commit: 69378eac99c013a0db7d2d5ff9a54dfcc287d9ce (patch)
tree: 270c7ddf377f62d1272b9fabcab46fb9a23e54f6 /app/models/account
parent: 48e136605a30fa7ee71a656b599d91adf47b17fc (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/app/models/account/field.rb b/app/models/account/field.rb
index ffc8dce80..4db4cac30 100644
--- a/app/models/account/field.rb
+++ b/app/models/account/field.rb
@@ -46,7 +46,8 @@ class Account::Field < ActiveModelSerializers::Model
       parsed_url.user.nil? &&
       parsed_url.password.nil? &&
       parsed_url.host.present? &&
-      parsed_url.normalized_host == parsed_url.host
+      parsed_url.normalized_host == parsed_url.host &&
+      (parsed_url.path.empty? || parsed_url.path == parsed_url.normalized_path)
   rescue Addressable::URI::InvalidURIError, IDN::Idna::IdnaError
     false
   end
author	David Leadbeater <dgl@dgl.cx>	2022-11-21 05:28:13 +1100
committer	GitHub <noreply@github.com>	2022-11-20 19:28:13 +0100
commit	69378eac99c013a0db7d2d5ff9a54dfcc287d9ce (patch)
tree	270c7ddf377f62d1272b9fabcab46fb9a23e54f6 /app/models/account
parent	48e136605a30fa7ee71a656b599d91adf47b17fc (diff)