Fixed: inappropriate redirection to login or register page may occur (#2206). Eg...

author Jean-Philippe Lang <jp_lang@yahoo.fr>

Thu, 27 Nov 2008 20:15:45 +0000 (20:15 +0000)

committer Jean-Philippe Lang <jp_lang@yahoo.fr>

Thu, 27 Nov 2008 20:15:45 +0000 (20:15 +0000)
author Jean-Philippe Lang <jp_lang@yahoo.fr>
Thu, 27 Nov 2008 20:15:45 +0000 (20:15 +0000)
committer Jean-Philippe Lang <jp_lang@yahoo.fr>
Thu, 27 Nov 2008 20:15:45 +0000 (20:15 +0000)
diff --git a/app/controllers/application.rb b/app/controllers/application.rb

index 2f8f493cd29df5194a87a6b97f5c9fffd435eee0..e5719a05969bb2643d23927a7a8d78ed0ffa7026 100644 (file)
--- a/app/controllers/application.rb
+++ b/app/controllers/application.rb
@@ -127,8 +127,8 @@ class ApplicationController < ActionController::Base
      back_url = CGI.unescape(params[:back_url].to_s)
      if !back_url.blank?
        uri = URI.parse(back_url)
-      # do not redirect user to another host
-      if uri.relative? || (uri.host == request.host)
+      # do not redirect user to another host or to the login or register page
+      if (uri.relative? || (uri.host == request.host)) && !uri.path.match(%r{/(login|account/register)})
          redirect_to(back_url) and return
        end
      end
author	Jean-Philippe Lang <jp_lang@yahoo.fr>
	Thu, 27 Nov 2008 20:15:45 +0000 (20:15 +0000)
committer	Jean-Philippe Lang <jp_lang@yahoo.fr>
	Thu, 27 Nov 2008 20:15:45 +0000 (20:15 +0000)