diff options
Diffstat (limited to 'app')
| -rw-r--r-- | app/models/account/field.rb | 16 |
1 files changed, 15 insertions, 1 deletions
diff --git a/app/models/account/field.rb b/app/models/account/field.rb index 4e0fd9230..d74f90b2b 100644 --- a/app/models/account/field.rb +++ b/app/models/account/field.rb @@ -3,6 +3,7 @@ class Account::Field < ActiveModelSerializers::Model MAX_CHARACTERS_LOCAL = 255 MAX_CHARACTERS_COMPAT = 2_047 + ACCEPTED_SCHEMES = %w(http https).freeze attributes :name, :value, :verified_at, :account @@ -34,7 +35,20 @@ class Account::Field < ActiveModelSerializers::Model end def verifiable? - value_for_verification.present? && /\A#{FetchLinkCardService::URL_PATTERN}\z/.match?(value_for_verification) + return false if value_for_verification.blank? + + # This is slower than checking through a regular expression, but we + # need to confirm that it's not an IDN domain. + + parsed_url = Addressable::URI.parse(value_for_verification) + + ACCEPTED_SCHEMES.include?(parsed_url.scheme) && + parsed_url.user.nil? && + parsed_url.password.nil? && + parsed_url.host.present? && + parsed_url.normalized_host == parsed_url.host + rescue Addressable::URI::InvalidURIError, IDN::Idna::IdnaError + false end def requires_verification? |