diff options
| author | Jean-Philippe Lang <jp_lang@yahoo.fr> | 2014-07-05 09:02:38 +0000 |
|---|---|---|
| committer | Jean-Philippe Lang <jp_lang@yahoo.fr> | 2014-07-05 09:02:38 +0000 |
| commit | 0125ba14f6b0c7ff907c8bcadb1cfdf61ed9b157 (patch) | |
| tree | 745f5d4208e5abaa84a336d1ccc4f26f2635fb58 /app/controllers/application_controller.rb | |
| parent | 1b01a7ab5e351dbd81dd67dae80057e3ef74d809 (diff) | |
| download | redmine-0125ba14f6b0c7ff907c8bcadb1cfdf61ed9b157.tar.gz redmine-0125ba14f6b0c7ff907c8bcadb1cfdf61ed9b157.zip | |
Don't redirect to another suburi (#16530).
git-svn-id: http://svn.redmine.org/redmine/trunk@13213 e93f8b46-1217-0410-a6f0-8f06a7374b81
Diffstat (limited to 'app/controllers/application_controller.rb')
| -rw-r--r-- | app/controllers/application_controller.rb | 43 |
1 files changed, 31 insertions, 12 deletions
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 8b7bff553..10e0ecbb2 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -376,18 +376,9 @@ class ApplicationController < ActionController::Base def redirect_back_or_default(default, options={}) back_url = params[:back_url].to_s - if back_url.present? - begin - uri = URI.parse(back_url) - # do not redirect user to another host or to the login or register page - if ((uri.relative? && back_url.match(%r{\A/(\w.*)?\z})) || (uri.host == request.host)) && !uri.path.match(%r{/(login|account/register)}) - redirect_to(back_url) - return - end - rescue URI::InvalidURIError - logger.warn("Could not redirect to invalid URL #{back_url}") - # redirect to default - end + if back_url.present? && valid_back_url?(back_url) + redirect_to(back_url) + return elsif options[:referer] redirect_to_referer_or default return @@ -396,6 +387,34 @@ class ApplicationController < ActionController::Base false end + # Returns true if back_url is a valid url for redirection, otherwise false + def valid_back_url?(back_url) + if CGI.unescape(back_url).include?('..') + return false + end + + begin + uri = URI.parse(back_url) + rescue URI::InvalidURIError + return false + end + + if uri.host.present? && uri.host != request.host + return false + end + + if uri.path.match(%r{/(login|account/register)}) + return false + end + + if relative_url_root.present? && !uri.path.starts_with?(relative_url_root) + return false + end + + return true + end + private :valid_back_url? + # Redirects to the request referer if present, redirects to args or call block otherwise. def redirect_to_referer_or(*args, &block) redirect_to :back |