Strip invalid characters from referer URLs

author: Omar Roth <omarroth@protonmail.com> 2020-03-15 17:37:51 -0400
committer: Omar Roth <omarroth@protonmail.com> 2020-03-15 17:47:16 -0400
commit: 4011a113ccc1241b60f607ce76db982625f7b9b1 (patch)
tree: 7c096cb7301c4e0cae033e052e11044b1bc56e3b /src
parent: 70cbe91776d1de10f2767c6a5ad5912fd705bdd3 (diff)
download: invidious-4011a113ccc1241b60f607ce76db982625f7b9b1.tar.gz
invidious-4011a113ccc1241b60f607ce76db982625f7b9b1.tar.bz2
invidious-4011a113ccc1241b60f607ce76db982625f7b9b1.zip
1 files changed, 1 insertions, 1 deletions
diff --git a/src/invidious/helpers/utils.cr b/src/invidious/helpers/utils.cr
index 7c5edc5c..a0a619fa 100644
--- a/src/invidious/helpers/utils.cr
+++ b/src/invidious/helpers/utils.cr
@@ -316,7 +316,7 @@ def get_referer(env, fallback = "/", unroll = true)
   end
 
   referer = referer.full_path
-  referer = "/" + referer.lstrip("/\\")
+  referer = "/" + referer.gsub(/[^\/?@&%=\-_.0-9a-zA-Z]/, "").lstrip("/\\")
 
   if referer == env.request.path
     referer = fallback
author	Omar Roth <omarroth@protonmail.com>	2020-03-15 17:37:51 -0400
committer	Omar Roth <omarroth@protonmail.com>	2020-03-15 17:47:16 -0400
commit	4011a113ccc1241b60f607ce76db982625f7b9b1 (patch)
tree	7c096cb7301c4e0cae033e052e11044b1bc56e3b /src
parent	70cbe91776d1de10f2767c6a5ad5912fd705bdd3 (diff)
download	invidious-4011a113ccc1241b60f607ce76db982625f7b9b1.tar.gz invidious-4011a113ccc1241b60f607ce76db982625f7b9b1.tar.bz2 invidious-4011a113ccc1241b60f607ce76db982625f7b9b1.zip