From 9a4b2b8e998b43e6b206fa154bf71f53ac1f6b83 Mon Sep 17 00:00:00 2001
From: Sven Fuchs <me@svenfuchs.com>
Date: Mon, 19 Aug 2013 17:49:39 +0200
Subject: [PATCH] allow whitelisting target_origin in Travis.config

---
 Gemfile.lock                                 | 3 +--
 lib/travis/api/app/endpoint/authorization.rb | 8 +++++++-
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/Gemfile.lock b/Gemfile.lock
index ca52feb0..32bd5a4c 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -37,8 +37,7 @@ GIT
 
 GIT
   remote: git://github.com/travis-ci/travis-core.git
-  revision: 93b4779b1e5cb0c1211bf095856eb21ccc655423
-  ref: master-2014-10-06
+  revision: 35f690bfb12bb0bef90297783e7c7ab15048dfc0
   specs:
     travis-core (0.0.1)
       actionmailer (~> 3.2.19)
diff --git a/lib/travis/api/app/endpoint/authorization.rb b/lib/travis/api/app/endpoint/authorization.rb
index 5733959d..82e4176b 100644
--- a/lib/travis/api/app/endpoint/authorization.rb
+++ b/lib/travis/api/app/endpoint/authorization.rb
@@ -324,7 +324,9 @@ class Travis::Api::App
 
         def target_ok?(target_origin)
           return unless uri = Addressable::URI.parse(target_origin)
-          if uri.host =~ /\A(.+\.)?travis-ci\.(com|org)\Z/
+          if allowed_https_targets.include?(uri.host)
+            uri.scheme == 'https'
+          elsif uri.host =~ /\A(.+\.)?travis-ci\.(com|org)\Z/
             uri.scheme == 'https'
           elsif uri.host =~ /\A(.+\.)?travis-lite\.com\Z/
             uri.scheme == 'https'
@@ -332,6 +334,10 @@ class Travis::Api::App
             uri.port > 1023
           end
         end
+
+        def allowed_https_targets
+          @allowed_https_targets ||= Travis.config.auth.api.target_origin.split(',')
+        end
     end
   end
 end