Merged r15431 to r15435 (#22924, #22925, #22926).

git-svn-id: http://svn.redmine.org/redmine/branches/3.3-stable@15440 e93f8b46-1217-0410-a6f0-8f06a7374b81

app/helpers/application_helper.rb

@@ -28,6 +28,7 @@ module ApplicationHelper
   include Redmine::SudoMode::Helper
   include Redmine::Themes::Helper
   include Redmine::Hook::Helper
+  include Redmine::Helpers::URL
 
   extend Forwardable
   def_delegators :wiki_helper, :wikitoolbar_for, :heads_for_wiki_formatter

app/models/custom_field.rb

@@ -262,6 +262,14 @@ class CustomField < ActiveRecord::Base
     args.include?(field_format)
   end
 
+  def self.human_attribute_name(attribute_key_name, *args)
+    attr_name = attribute_key_name.to_s
+    if attr_name == 'url_pattern'
+      attr_name = "url"
+    end
+    super(attr_name, *args)
+  end
+
   protected
 
   # Removes multiple values for the custom field after setting the multiple attribute to false

app/views/projects/show.html.erb

@@ -26,7 +26,7 @@
   <% if @project.homepage.present? || @subprojects.any? || @project.visible_custom_field_values.any?(&:present?) %>
   <ul>
   <% unless @project.homepage.blank? %>
-    <li><span class="label"><%=l(:field_homepage)%>:</span> <%= link_to @project.homepage, @project.homepage %></li>
+    <li><span class="label"><%=l(:field_homepage)%>:</span> <%= link_to_if uri_with_safe_scheme?(@project.homepage), @project.homepage, @project.homepage %></li>
   <% end %>
   <% if @subprojects.any? %>
     <li><span class="label"><%=l(:label_subproject_plural)%>:</span>

lib/redcloth3.rb

@@ -165,6 +165,7 @@
 #  class RedCloth::Textile.new( str )
 
 class RedCloth3 < String
+    include Redmine::Helpers::URL
 
     VERSION = '3.0.4'
     DEFAULT_RULES = [:textile, :markdown]
@@ -960,6 +961,8 @@ class RedCloth3 < String
             href, alt_title = check_refs( href ) if href
             url, url_title = check_refs( url )
 
+            return m unless uri_with_safe_scheme?(url)
+
             out = ''
             out << "<a#{ shelve( " href=\"#{ href }\"" ) }>" if href
             out << "<img#{ shelve( atts ) } />"

lib/redmine/field_format.rb

@@ -48,6 +48,7 @@ module Redmine
     class Base
       include Singleton
       include Redmine::I18n
+      include Redmine::Helpers::URL
       include ERB::Util
 
       class_attribute :format_name
@@ -149,7 +150,12 @@ module Redmine
       # Returns the validation errors for custom_field
       # Should return an empty array if custom_field is valid
       def validate_custom_field(custom_field)
-        []
+        errors = []
+        pattern = custom_field.url_pattern
+        if pattern.present? && !uri_with_safe_scheme?(url_pattern_without_tokens(pattern))
+          errors << [:url_pattern, :invalid]
+        end
+        errors
       end
 
       # Returns the validation error messages for custom_value
@@ -178,7 +184,7 @@ module Redmine
             url = url_from_pattern(custom_field, single_value, customized)
             [text, url]
           end
-          links = texts_and_urls.sort_by(&:first).map {|text, url| view.link_to text, url}
+          links = texts_and_urls.sort_by(&:first).map {|text, url| view.link_to_if uri_with_safe_scheme?(url), text, url}
           links.join(', ').html_safe
         else
           casted
@@ -210,6 +216,13 @@ module Redmine
       end
       protected :url_from_pattern
 
+      # Returns the URL pattern with substitution tokens removed,
+      # for validation purpose
+      def url_pattern_without_tokens(url_pattern)
+        url_pattern.to_s.gsub(/%(value|id|project_id|project_identifier|m\d+)%/, '')
+      end
+      protected :url_pattern_without_tokens
+
       def edit_tag(view, tag_id, tag_name, custom_value, options={})
         view.text_field_tag(tag_name, custom_value.value, options.merge(:id => tag_id))
       end

lib/redmine/helpers/url.rb

@@ -0,0 +1,35 @@
+# Redmine - project management software
+# Copyright (C) 2006-2016  Jean-Philippe Lang
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+
+require 'uri'
+
+module Redmine
+  module Helpers
+    module URL
+      def uri_with_safe_scheme?(uri, schemes = ['http', 'https', 'ftp', 'mailto', nil])
+        # URLs relative to the current document or document root (without a protocol
+        # separator, should be harmless
+        return true unless uri.include? ":"
+    
+        # Other URLs need to be parsed
+        schemes.include? URI.parse(uri).scheme
+      rescue URI::InvalidURIError
+        false
+      end
+    end
+  end
+end

lib/redmine/wiki_formatting/markdown/formatter.rb

@@ -22,8 +22,11 @@ module Redmine
     module Markdown
       class HTML < Redcarpet::Render::HTML
         include ActionView::Helpers::TagHelper
+        include Redmine::Helpers::URL
 
         def link(link, title, content)
+          return nil unless uri_with_safe_scheme?(link)
+
           css = nil
           unless link && link.starts_with?('/')
             css = 'external'
@@ -40,6 +43,12 @@ module Redmine
             "<pre>" + CGI.escapeHTML(code) + "</pre>"
           end
         end
+
+        def image(link, title, alt_text)
+          return unless uri_with_safe_scheme?(link)
+
+          tag('img', :src => link, :alt => alt_text || "", :title => title)
+        end
       end
 
       class Formatter

test/unit/helpers/application_helper_test.rb

@@ -164,7 +164,7 @@ RAW
 
     attachment = Attachment.generate!(:filename => 'café.jpg')
     with_settings :text_formatting => 'markdown' do
-      assert_include %(<img src="/attachments/download/#{attachment.id}/caf%C3%A9.jpg" alt="">),
+      assert_include %(<img src="/attachments/download/#{attachment.id}/caf%C3%A9.jpg" alt="" />),
         textilizable("![](café.jpg)", :attachments => [attachment])
     end
   end

test/unit/lib/redmine/field_format/field_format_test.rb

@@ -20,6 +20,10 @@ require File.expand_path('../../../../../test_helper', __FILE__)
 class Redmine::FieldFormatTest < ActionView::TestCase
   include ApplicationHelper
 
+  def setup
+    set_language_if_valid 'en'
+  end
+
   def test_string_field_with_text_formatting_disabled_should_not_format_text
     field = IssueCustomField.new(:field_format => 'string')
     custom_value = CustomValue.new(:custom_field => field, :customized => Issue.new, :value => "*foo*")
@@ -52,6 +56,17 @@ class Redmine::FieldFormatTest < ActionView::TestCase
     assert_include "<strong>foo</strong>", field.format.formatted_custom_value(self, custom_value, true)
   end
 
+  def test_should_validate_url_pattern_with_safe_scheme
+    field = IssueCustomField.new(:field_format => 'string', :name => 'URL', :url_pattern => 'http://foo/%value%')
+    assert_save field
+  end
+
+  def test_should_not_validate_url_pattern_with_unsafe_scheme
+    field = IssueCustomField.new(:field_format => 'string', :name => 'URL', :url_pattern => 'foo://foo/%value%')
+    assert !field.save
+    assert_include "URL is invalid", field.errors.full_messages
+  end
+
   def test_text_field_with_url_pattern_should_format_as_link
     field = IssueCustomField.new(:field_format => 'string', :url_pattern => 'http://foo/%value%')
     custom_value = CustomValue.new(:custom_field => field, :customized => Issue.new, :value => "bar")