SECURITY: Don't allow base_uri as embeddable host if none exist

SECURITY: Don’t allow base_uri as embeddable host if none exist

diff --git a/app/models/embeddable_host.rb b/app/models/embeddable_host.rb
index 71b4478..788fc8b 100644
--- a/app/models/embeddable_host.rb
+++ b/app/models/embeddable_host.rb
@@ -44,7 +44,7 @@ class EmbeddableHost < ActiveRecord::Base
 
   def self.url_allowed?(url)
     # Work around IFRAME reload on WebKit where the referer will be set to the Forum URL
-    return true if url&.starts_with?(Discourse.base_url)
+    return true if url&.starts_with?(Discourse.base_url) && EmbeddableHost.exists?
 
     uri = begin
       URI(UrlHelper.escape_uri(url))
diff --git a/spec/models/embeddable_host_spec.rb b/spec/models/embeddable_host_spec.rb
index bdcc060..d55e112 100644
--- a/spec/models/embeddable_host_spec.rb
+++ b/spec/models/embeddable_host_spec.rb
@@ -65,6 +65,10 @@ describe EmbeddableHost do
     end
   end
 
+  it "doesn't allow forum own URL if no hosts exist" do
+    expect(EmbeddableHost.url_allowed?(Discourse.base_url)).to eq(false)
+  end
+
   describe "url_allowed?" do
     fab!(:host) { Fabricate(:embeddable_host) }

GitHub sha: d5c5ca46

2 Likes

Does this affect the stable branch?

I think it does, we will backport it.

This has been backported to both stable and beta.

1 Like