From: Jean-Philippe Lang <jp_lang@yahoo.fr>
Date: Sun, 13 Sep 2015 14:45:20 +0000 (+0000)
Subject: Merged r14560 and r14561 (#19577).
X-Git-Tag: 2.6.7~7
X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=5fde4e22464ff5a133c9808cb7b7b6a759393543;p=redmine.git

Merged r14560 and r14561 (#19577).

git-svn-id: http://svn.redmine.org/redmine/branches/2.6-stable@14564 e93f8b46-1217-0410-a6f0-8f06a7374b81
---

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index b161c96eb..15b236c01 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -390,8 +390,8 @@ class ApplicationController < ActionController::Base
 
   def redirect_back_or_default(default, options={})
     back_url = params[:back_url].to_s
-    if back_url.present? && valid_back_url?(back_url)
-      redirect_to(back_url)
+    if back_url.present? && valid_url = validate_back_url(back_url)
+      redirect_to(valid_url)
       return
     elsif options[:referer]
       redirect_to_referer_or default
@@ -401,8 +401,9 @@ class ApplicationController < ActionController::Base
     false
   end
 
-  # Returns true if back_url is a valid url for redirection, otherwise false
-  def valid_back_url?(back_url)
+  # Returns a validated URL string if back_url is a valid url for redirection,
+  # otherwise false
+  def validate_back_url(back_url)
     if CGI.unescape(back_url).include?('..')
       return false
     end
@@ -413,19 +414,36 @@ class ApplicationController < ActionController::Base
       return false
     end
 
-    if uri.host.present? && uri.host != request.host
+    [:scheme, :host, :port].each do |component|
+      if uri.send(component).present? && uri.send(component) != request.send(component)
+        return false
+      end
+      uri.send(:"#{component}=", nil)
+    end
+    # Always ignore basic user:password in the URL
+    uri.userinfo = nil
+
+    path = uri.to_s
+    # Ensure that the remaining URL starts with a slash, followed by a
+    # non-slash character or the end
+    if path !~ %r{\A/([^/]|\z)}
       return false
     end
 
-    if uri.path.match(%r{/(login|account/register)})
+    if path.match(%r{/(login|account/register)})
       return false
     end
 
-    if relative_url_root.present? && !uri.path.starts_with?(relative_url_root)
+    if relative_url_root.present? && !path.starts_with?(relative_url_root)
       return false
     end
 
-    return true
+    return path
+  end
+  private :validate_back_url
+
+  def valid_back_url?(back_url)
+    !!validate_back_url(back_url)
   end
   private :valid_back_url?
 
diff --git a/test/functional/account_controller_test.rb b/test/functional/account_controller_test.rb
index 86d36f966..25693674c 100644
--- a/test/functional/account_controller_test.rb
+++ b/test/functional/account_controller_test.rb
@@ -63,6 +63,7 @@ class AccountControllerTest < ActionController::TestCase
     # request.uri is "test.host" in test environment
     back_urls = [
       'http://test.host/issues/show/1',
+      'http://test.host/',
       '/'
     ]
     back_urls.each do |back_url|
@@ -108,7 +109,16 @@ class AccountControllerTest < ActionController::TestCase
       'http://test.host/fake/issues',
       'http://test.host/redmine/../fake',
       'http://test.host/redmine/../fake/issues',
-      'http://test.host/redmine/%2e%2e/fake'
+      'http://test.host/redmine/%2e%2e/fake',
+      '//test.foo/fake',
+      'http://test.host//fake',
+      'http://test.host/\n//fake',
+      '//bar@test.foo',
+      '//test.foo',
+      '////test.foo',
+      '@test.foo',
+      'fake@test.foo',
+      '.test.foo'
     ]
     back_urls.each do |back_url|
       post :login, :username => 'jsmith', :password => 'jsmith', :back_url => back_url