Merged r13040 (#16467).

git-svn-id: http://svn.redmine.org/redmine/branches/2.4-stable@13045 e93f8b46-1217-0410-a6f0-8f06a7374b81

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index ddb6e49fa782bea8f1bf9f03638a2e641d90fc14..449890eecf58aa6a8bc3cf55f150a6327dfce8f8 100644 (file)
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -379,7 +379,7 @@ class ApplicationController < ActionController::Base
       begin
         uri = URI.parse(back_url)
         # do not redirect user to another host or to the login or register page
-        if ((uri.relative? && back_url.match(%r{\A/\w})) || (uri.host == request.host)) && !uri.path.match(%r{/(login|account/register)})
+        if ((uri.relative? && back_url.match(%r{\A/(\w.*)?\z})) || (uri.host == request.host)) && !uri.path.match(%r{/(login|account/register)})
           redirect_to(back_url)
           return
         end

diff --git a/test/functional/account_controller_test.rb b/test/functional/account_controller_test.rb
index 88713770fafe4e22f9120cd55795f841d5c0f80f..e77009e1605ae151622aa2824f0ffa6d72320bc3 100644 (file)
--- a/test/functional/account_controller_test.rb
+++ b/test/functional/account_controller_test.rb
@@ -43,8 +43,14 @@ class AccountControllerTest < ActionController::TestCase
 
   def test_login_should_redirect_to_back_url_param
     # request.uri is "test.host" in test environment
-    post :login, :username => 'jsmith', :password => 'jsmith', :back_url => 'http://test.host/issues/show/1'
-    assert_redirected_to '/issues/show/1'
+    back_urls = [
+      'http://test.host/issues/show/1',
+      '/'
+    ]
+    back_urls.each do |back_url|
+      post :login, :username => 'jsmith', :password => 'jsmith', :back_url => back_url
+      assert_redirected_to back_url
+    end
   end
 
   def test_login_should_not_redirect_to_another_host