Commit Graph

4 Commits (c24d63d33c4614057a5ea62aa90ca57e482ff243)

Author SHA1 Message Date
David Leadbeater 69378eac99
Don't allow URLs that contain non-normalized paths to be verified (#20999)
* Don't allow URLs that contain non-normalized paths to be verified

This stops things like https://example.com/otheruser/../realuser where
"/otheruser" appears to be the verified URL, but the actual URL being
verified is "/realuser" due to the "/../".

Also fix a test to use 'https', so it is testing the right thing, now
that since #20304 https is required.

* missing do
2022-11-20 19:28:13 +01:00
Emily Strickland c2231539c7
Test blank account field verifiability (#20458)
* Test blank account field verifiability

This change tests the need for #20428, which ensures that we guard against a situation in which `at_xpath` returns `nil`.

* Test verifiability of blank fields for remote account profiles

This adds a counterpart test for remote account profiles' fields' verifiability when those fields are blank. I previously added the same test for local accounts.
2022-11-13 21:02:09 +01:00
Eugen Rochko 9965a23b04
Change link verification to ignore IDN domains (#20295)
Fix #3833
2022-11-10 06:27:45 +01:00
Eugen Rochko e98833748e
Fix being able to spoof link verification (#20217)
- Change verification to happen in `default` queue
- Change verification worker to only be queued if there's something to do
- Add `link` tags from metadata fields to page header of profiles
2022-11-09 08:24:21 +01:00