Permalink
Browse files

Added a whitelist of valid URI schemes for requests.

  • Loading branch information...
1 parent 24a5ff7 commit ce71023acafb1b42fdc69b7b1ded83719a60ab7b @nealpoole nealpoole committed Jan 8, 2012
Showing with 9 additions and 1 deletion.
  1. +9 −1 app/app.rb
View
@@ -203,7 +203,15 @@ def initialize(*args)
# is this a url hurl can handle. basically a spam check.
def invalid_url?(url)
- url.include? 'hurl.it'
+ valid_schemes = ['http', 'https']
+ begin
+ uri = URI.parse(url)
+ raise URI::InvalidURIError if uri.host == 'hurl.it'
+ raise URI::InvalidURIError if !valid_schemes.include? uri.scheme
+ false
+ rescue URI::InvalidURIError
+ true
+ end
end
# update auth based on auth type

0 comments on commit ce71023

Please sign in to comment.