fix: solo validar el host de archivo subido si estamos validando hosts #13181

2024-07-01 11:56:08 +00:00 · 2023-04-20 18:30:10 -03:00 · 2023-04-20 18:30:10 -03:00 · 7c6f3ca8b4
parent 47ffb7ebca
commit 7c6f3ca8b4
1 changed files with 7 additions and 2 deletions
--- a/app/models/metadata_content.rb
+++ b/app/models/metadata_content.rb
@ -56,8 +56,13 @@ class MetadataContent < MetadataTemplate

        uri = URI element['src']

-        # No permitimos recursos externos
-        raise URI::Error unless Rails.application.config.hosts.include?(uri.hostname)
+        # No permitimos recursos externos, solo si sabemos cuales son
+        # los recursos locales
+        if Rails.application.config.hosts.present?
+          unless Rails.application.config.hosts.include?(uri.hostname)
+            raise URI::Error
+          end
+        end

        element['src'] = convert_src_to_internal_path uri