Skip to content

Sanitize custom maintenance mode message

Thomas Hutterer requested to merge fix_maintenance_mode_message into master

What does this MR do and why?

Fixes #417596 (closed). Please read the issue for details. Especially here where AppSec agreed that this issue is only theoretical and can be fixed in public.

How to set up and validate locally

  • Follow the steps detailed in the original bug report: #417596 (closed)
  • Note, you have to disable CSP to reproduce the bug. In your GDK, one way to do that is to delete the code in config/initializers/content_security_policy.rb (and gdk restart rails-web)

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Merge request reports