]> source.dussan.org Git - redmine.git/commitdiff
Fixed back url verification (#16466).
authorJean-Philippe Lang <jp_lang@yahoo.fr>
Sat, 29 Mar 2014 14:32:47 +0000 (14:32 +0000)
committerJean-Philippe Lang <jp_lang@yahoo.fr>
Sat, 29 Mar 2014 14:32:47 +0000 (14:32 +0000)
git-svn-id: http://svn.redmine.org/redmine/trunk@13018 e93f8b46-1217-0410-a6f0-8f06a7374b81

app/controllers/application_controller.rb
test/functional/account_controller_test.rb

index 43257b2bfaa73321c4f38ce0cb461e6cf0f16788..1e251c2a4a4963a52341da6d4e24a3bf8c239614 100644 (file)
@@ -379,7 +379,7 @@ class ApplicationController < ActionController::Base
       begin
         uri = URI.parse(back_url)
         # do not redirect user to another host or to the login or register page
-        if (uri.relative? || (uri.host == request.host)) && !uri.path.match(%r{/(login|account/register)})
+        if ((uri.relative? && back_url.match(%r{\A/\w})) || (uri.host == request.host)) && !uri.path.match(%r{/(login|account/register)})
           redirect_to(back_url)
           return
         end
index 35074bd4ed2c4215845043f0f5bd9c2995f96335..e9156957c802939ecd7abcb0960bfe9572492c3d 100644 (file)
@@ -66,8 +66,14 @@ class AccountControllerTest < ActionController::TestCase
   end
 
   def test_login_should_not_redirect_to_another_host
-    post :login, :username => 'jsmith', :password => 'jsmith', :back_url => 'http://test.foo/fake'
-    assert_redirected_to '/my/page'
+    back_urls = [
+      'http://test.foo/fake',
+      '//test.foo/fake'
+    ]
+    back_urls.each do |back_url|
+      post :login, :username => 'jsmith', :password => 'jsmith', :back_url => back_url
+      assert_redirected_to '/my/page'
+    end
   end
 
   def test_login_with_wrong_password