From b010054d69f538dbd6969abde270ea2b581507d7 Mon Sep 17 00:00:00 2001
From: Marius Balteanu <marius.balteanu@zitec.com>
Date: Tue, 13 Feb 2024 23:17:09 +0000
Subject: [PATCH] Replaces @URI.parse@ with @Addressable::URI.parse(url)@ to
 enhance robustness of @validate_back_url@ (#31831).

Patch by Go MAEDA (@maeda).

git-svn-id: https://svn.redmine.org/redmine/trunk@22710 e93f8b46-1217-0410-a6f0-8f06a7374b81
---
 app/controllers/application_controller.rb | 21 ++++++++++-----------
 1 file changed, 10 insertions(+), 11 deletions(-)

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index ad16b0e77..29c14f612 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -502,20 +502,19 @@ class ApplicationController < ActionController::Base
     end
 
     begin
-      uri = URI.parse(back_url)
-    rescue URI::InvalidURIError
-      return false
-    end
+      uri = Addressable::URI.parse(back_url)
+      [:scheme, :host, :port].each do |component|
+        if uri.send(component).present? && uri.send(component) != request.send(component)
+          return false
+        end
 
-    [:scheme, :host, :port].each do |component|
-      if uri.send(component).present? && uri.send(component) != request.send(component)
-        return false
+        uri.send(:"#{component}=", nil)
       end
-
-      uri.send(:"#{component}=", nil)
+      # Always ignore basic user:password in the URL
+      uri.userinfo = nil
+    rescue Addressable::URI::InvalidURIError
+      return false
     end
-    # Always ignore basic user:password in the URL
-    uri.userinfo = nil
 
     path = uri.to_s
     # Ensure that the remaining URL starts with a slash, followed by a
-- 
2.39.5