Escape username and password in UrlSanitizer#full_url (!20684) · Merge requests · GitLab.org / GitLab FOSS

Stan Hu requested to merge sh-normalize-urls into master Jul 18, 2018

If a user uses a password with certain characters (e.g. /, #, +, etc.) UrlSanitizer#full_url will generate an invalid URL that cannot be parsed properly by Addressable::URI. If used with UrlBlocker, this will be flagged as an invalid URI.

Related discussion: https://github.com/sporkmonger/addressable/issues/42

Edited Jul 18, 2018 by Stan Hu

Admin message

Escape username and password in UrlSanitizer#full_url

Merge request reports