From: Jean-Philippe Lang <jp_lang@yahoo.fr>
Date: Sun, 26 Aug 2012 10:40:09 +0000 (+0000)
Subject: Do not use escaped back_url param (#11691).
X-Git-Tag: 2.1.0~104
X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=ebc979e9b1b70bab7bce5079ab7d19b333274514;p=redmine.git

Do not use escaped back_url param (#11691).

git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@10239 e93f8b46-1217-0410-a6f0-8f06a7374b81
---

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index d6efa4124..aacb8e523 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -296,12 +296,16 @@ class ApplicationController < ActionController::Base
   end
 
   def back_url
-    params[:back_url] || request.env['HTTP_REFERER']
+    url = params[:back_url]
+    if url.nil? && referer = request.env['HTTP_REFERER']
+      url = CGI.unescape(referer.to_s)
+    end
+    url
   end
 
   def redirect_back_or_default(default)
-    back_url = CGI.unescape(params[:back_url].to_s)
-    if !back_url.blank?
+    back_url = params[:back_url].to_s
+    if back_url.present?
       begin
         uri = URI.parse(back_url)
         # do not redirect user to another host or to the login or register page
@@ -310,6 +314,7 @@ class ApplicationController < ActionController::Base
           return
         end
       rescue URI::InvalidURIError
+        logger.warn("Could not redirect to invalid URL #{back_url}")
         # redirect to default
       end
     end
diff --git a/app/helpers/application_helper.rb b/app/helpers/application_helper.rb
index cfa9cb5ab..2706cef78 100644
--- a/app/helpers/application_helper.rb
+++ b/app/helpers/application_helper.rb
@@ -1027,10 +1027,17 @@ module ApplicationHelper
     content_tag(:a, name, {:href => '#', :onclick => "#{function}; return false;"}.merge(html_options))
   end
 
+  def back_url
+    url = params[:back_url]
+    if url.nil? && referer = request.env['HTTP_REFERER']
+      url = CGI.unescape(referer.to_s)
+    end
+    url
+  end
+
   def back_url_hidden_field_tag
-    back_url = params[:back_url] || request.env['HTTP_REFERER']
-    back_url = CGI.unescape(back_url.to_s)
-    hidden_field_tag('back_url', CGI.escape(back_url), :id => nil) unless back_url.blank?
+    url = back_url
+    hidden_field_tag('back_url', url, :id => nil) unless url.blank?
   end
 
   def check_all_links(form_name)
diff --git a/test/functional/account_controller_test.rb b/test/functional/account_controller_test.rb
index f48e4b3a6..7b5a449e5 100644
--- a/test/functional/account_controller_test.rb
+++ b/test/functional/account_controller_test.rb
@@ -33,12 +33,12 @@ class AccountControllerTest < ActionController::TestCase
 
   def test_login_should_redirect_to_back_url_param
     # request.uri is "test.host" in test environment
-    post :login, :username => 'jsmith', :password => 'jsmith', :back_url => 'http%3A%2F%2Ftest.host%2Fissues%2Fshow%2F1'
+    post :login, :username => 'jsmith', :password => 'jsmith', :back_url => 'http://test.host/issues/show/1'
     assert_redirected_to '/issues/show/1'
   end
 
   def test_login_should_not_redirect_to_another_host
-    post :login, :username => 'jsmith', :password => 'jsmith', :back_url => 'http%3A%2F%2Ftest.foo%2Ffake'
+    post :login, :username => 'jsmith', :password => 'jsmith', :back_url => 'http://test.foo/fake'
     assert_redirected_to '/my/page'
   end