ylqjgm
/
canvas-lms
mirror of https://github.com/instructure/canvas-lms.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
canvas-lms/gems/canvas_http
History
Jeremy Stanley 528527a171 fix non-ASCII URI validation 
the allowed-schemes andf safe-hosts checks were being bypassed
when non-ASCII characters were used in a URI

test plan:
 - create an external tool module item
 - attempt to change the URL link to
   javascript:alert(document.domain);//嘊
 - it should be rejected

fixes SEC-2317

Change-Id: Ib2fe75f302af61c596ef2123cc4238975b42698f
Reviewed-on: https://gerrit.instructure.com/189519
Tested-by: Jenkins
Reviewed-by: James Williams <jamesw@instructure.com>
QA-Review: Anju Reddy <areddy@instructure.com>
Product-Review: Jeremy Stanley <jeremy@instructure.com>
 		2019-04-18 19:00:35 +00:00
..
lib fix non-ASCII URI validation 2019-04-18 19:00:35 +00:00
spec fix non-ASCII URI validation 2019-04-18 19:00:35 +00:00
Gemfile restore and fix "stream inst-fs direct uploads" 2018-08-30 18:37:07 +00:00
Rakefile Extract canvas_http into seperate gem. 2014-04-02 17:22:38 +00:00
canvas_http.gemspec restore and fix "stream inst-fs direct uploads" 2018-08-30 18:37:07 +00:00
test.sh simplify gem test harnesses 2016-01-19 17:52:58 +00:00