Limits the schemes that custom field URL patterns can use (#22925).

git-svn-id: http://svn.redmine.org/redmine/trunk@15435 e93f8b46-1217-0410-a6f0-8f06a7374b81

app/models/custom_field.rb

@@ -262,6 +262,14 @@ class CustomField < ActiveRecord::Base
     args.include?(field_format)
   end
 
+  def self.human_attribute_name(attribute_key_name, *args)
+    attr_name = attribute_key_name.to_s
+    if attr_name == 'url_pattern'
+      attr_name = "url"
+    end
+    super(attr_name, *args)
+  end
+
   protected
 
   # Removes multiple values for the custom field after setting the multiple attribute to false

lib/redmine/field_format.rb

@@ -48,6 +48,7 @@ module Redmine
     class Base
       include Singleton
       include Redmine::I18n
+      include Redmine::Helpers::URL
       include ERB::Util
 
       class_attribute :format_name
@@ -149,7 +150,12 @@ module Redmine
       # Returns the validation errors for custom_field
       # Should return an empty array if custom_field is valid
       def validate_custom_field(custom_field)
-        []
+        errors = []
+        pattern = custom_field.url_pattern
+        if pattern.present? && !uri_with_safe_scheme?(url_pattern_without_tokens(pattern))
+          errors << [:url_pattern, :invalid]
+        end
+        errors
       end
 
       # Returns the validation error messages for custom_value
@@ -178,7 +184,7 @@ module Redmine
             url = url_from_pattern(custom_field, single_value, customized)
             [text, url]
           end
-          links = texts_and_urls.sort_by(&:first).map {|text, url| view.link_to text, url}
+          links = texts_and_urls.sort_by(&:first).map {|text, url| view.link_to_if uri_with_safe_scheme?(url), text, url}
           links.join(', ').html_safe
         else
           casted
@@ -210,6 +216,13 @@ module Redmine
       end
       protected :url_from_pattern
 
+      # Returns the URL pattern with substitution tokens removed,
+      # for validation purpose
+      def url_pattern_without_tokens(url_pattern)
+        url_pattern.to_s.gsub(/%(value|id|project_id|project_identifier|m\d+)%/, '')
+      end
+      protected :url_pattern_without_tokens
+
       def edit_tag(view, tag_id, tag_name, custom_value, options={})
         view.text_field_tag(tag_name, custom_value.value, options.merge(:id => tag_id))
       end

test/unit/lib/redmine/field_format/field_format_test.rb

@@ -20,6 +20,10 @@ require File.expand_path('../../../../../test_helper', __FILE__)
 class Redmine::FieldFormatTest < ActionView::TestCase
   include ApplicationHelper
 
+  def setup
+    set_language_if_valid 'en'
+  end
+
   def test_string_field_with_text_formatting_disabled_should_not_format_text
     field = IssueCustomField.new(:field_format => 'string')
     custom_value = CustomValue.new(:custom_field => field, :customized => Issue.new, :value => "*foo*")
@@ -52,6 +56,17 @@ class Redmine::FieldFormatTest < ActionView::TestCase
     assert_include "<strong>foo</strong>", field.format.formatted_custom_value(self, custom_value, true)
   end
 
+  def test_should_validate_url_pattern_with_safe_scheme
+    field = IssueCustomField.new(:field_format => 'string', :name => 'URL', :url_pattern => 'http://foo/%value%')
+    assert_save field
+  end
+
+  def test_should_not_validate_url_pattern_with_unsafe_scheme
+    field = IssueCustomField.new(:field_format => 'string', :name => 'URL', :url_pattern => 'foo://foo/%value%')
+    assert !field.save
+    assert_include "URL is invalid", field.errors.full_messages
+  end
+
   def test_text_field_with_url_pattern_should_format_as_link
     field = IssueCustomField.new(:field_format => 'string', :url_pattern => 'http://foo/%value%')
     custom_value = CustomValue.new(:custom_field => field, :customized => Issue.new, :value => "bar")