diff --git a/Gemfile b/Gemfile index 6e26c4bc037..911172110c6 100644 --- a/Gemfile +++ b/Gemfile @@ -91,7 +91,7 @@ gem "cgi", "~> 0.3.5" # CVE-2023-28756 fixed: ruby 3.1.4 - https://github.com/advisories/GHSA-fg7x-g82r-94qc gem "time", "~> 0.2.2" # CVE-2023-36617 https://github.com/advisories/GHSA-hww2-5g85-429m -gem "uri", "~> 0.13.1" # Avoid URI 1.0.0 for now due to: https://github.com/ruby/uri/issues/125 +gem "uri", "~>1.0", ">=1.0.1" # Avoid URI 1.0.0 due to: https://github.com/ruby/uri/issues/125 # Custom gem that replaces mime-types in order to redirect mime-types calls to mini_mime # Source is located at https://github.com/ManageIQ/mime-types-redirector diff --git a/app/models/external_url.rb b/app/models/external_url.rb index 49329269fbf..f8c84fb4cfd 100644 --- a/app/models/external_url.rb +++ b/app/models/external_url.rb @@ -2,5 +2,5 @@ class ExternalUrl < ApplicationRecord belongs_to :resource, :polymorphic => true belongs_to :user - validates :url, :format => URI::DEFAULT_PARSER.make_regexp, :allow_nil => false + validates :url, :format => URI::RFC2396_PARSER.make_regexp, :allow_nil => false end diff --git a/app/models/file_depot_ftp.rb b/app/models/file_depot_ftp.rb index f50134b72da..55a425970a7 100644 --- a/app/models/file_depot_ftp.rb +++ b/app/models/file_depot_ftp.rb @@ -127,7 +127,7 @@ def destination_path def base_path # uri: "ftp://ftp.example.com/incoming" => # - path = URI(URI::DEFAULT_PARSER.escape(uri)).path + path = URI(URI::RFC2396_PARSER.escape(uri)).path Pathname.new(path) end diff --git a/app/models/git_repository.rb b/app/models/git_repository.rb index 80fdec187af..e1db36468d0 100644 --- a/app/models/git_repository.rb +++ b/app/models/git_repository.rb @@ -9,7 +9,7 @@ class GitRepository < ApplicationRecord attr_reader :git_lock - validates :url, :format => Regexp.union(URI::DEFAULT_PARSER.make_regexp(%w[http https file ssh]), /\A[-\w:.]+@.*:/), :allow_nil => false + validates :url, :format => Regexp.union(URI::RFC2396_PARSER.make_regexp(%w[http https file ssh]), /\A[-\w:.]+@.*:/), :allow_nil => false default_value_for :verify_ssl, OpenSSL::SSL::VERIFY_PEER validates :verify_ssl, :inclusion => {:in => [OpenSSL::SSL::VERIFY_NONE, OpenSSL::SSL::VERIFY_PEER]} diff --git a/app/models/log_file.rb b/app/models/log_file.rb index b8c6ef62622..898104d03cb 100644 --- a/app/models/log_file.rb +++ b/app/models/log_file.rb @@ -27,7 +27,7 @@ def relative_path_for_upload(loc_file) # Base is the URI defined by the user # loc_file is the name of the original file def build_log_uri(base_uri, loc_file) - scheme, userinfo, host, port, registry, path, opaque, query, fragment = URI.split(URI::DEFAULT_PARSER.escape(base_uri)) + scheme, userinfo, host, port, registry, path, opaque, query, fragment = URI.split(URI::RFC2396_PARSER.escape(base_uri)) # Convert encoded spaces back to spaces path.gsub!('%20', ' ') @@ -211,7 +211,7 @@ def get_post_method(uri) # Strip any leading and trailing whitespace uri.strip! - URI.split(URI::DEFAULT_PARSER.escape(uri))[0] + URI.split(URI::RFC2396_PARSER.escape(uri))[0] end def legacy_depot_hash diff --git a/app/models/mixins/file_depot_mixin.rb b/app/models/mixins/file_depot_mixin.rb index fcce324165a..c5b3488ac8a 100644 --- a/app/models/mixins/file_depot_mixin.rb +++ b/app/models/mixins/file_depot_mixin.rb @@ -57,7 +57,7 @@ def get_uri_prefix(uri_str) # Strip any leading and trailing whitespace uri_str.strip! - scheme, _userinfo, _host, _port, _registry, _path, _opaque, _query, _fragment = URI.split(URI::DEFAULT_PARSER.escape(uri_str)) + scheme, _userinfo, _host, _port, _registry, _path, _opaque, _query, _fragment = URI.split(URI::RFC2396_PARSER.escape(uri_str)) scheme end end