Validate URI scheme also for internal URI
This is a backport for 11.4 stable branch. Gitlab::UrlBlocker ignores scheme when validating URI matching either config.gitlab or config.gitlab_shell This patch enforces matching config.gitlab.protocol for internal web and ssh for internal shell. A cleanup migration for stored XSS from environments table is included.
Loading
Please sign in to comment