diff options
| author | Jean-Philippe Lang <jp_lang@yahoo.fr> | 2015-09-13 14:35:20 +0000 |
|---|---|---|
| committer | Jean-Philippe Lang <jp_lang@yahoo.fr> | 2015-09-13 14:35:20 +0000 |
| commit | 032f2c9be6520d9d1a1608aa4f1d5d1f184f2472 (patch) | |
| tree | e47178125e742c4352f250dd3f4e35ad7c3d690d /app/controllers | |
| parent | 6583c1774d0604737fa9a6612f7a30920221ca9b (diff) | |
| download | redmine-032f2c9be6520d9d1a1608aa4f1d5d1f184f2472.tar.gz redmine-032f2c9be6520d9d1a1608aa4f1d5d1f184f2472.zip | |
Open redirect vulnerability (#19577).
Patch by Holger Just.
git-svn-id: http://svn.redmine.org/redmine/trunk@14560 e93f8b46-1217-0410-a6f0-8f06a7374b81
Diffstat (limited to 'app/controllers')
| -rw-r--r-- | app/controllers/application_controller.rb | 34 |
1 files changed, 26 insertions, 8 deletions
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 5949f47b6..9f307c3e2 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -396,8 +396,8 @@ class ApplicationController < ActionController::Base def redirect_back_or_default(default, options={}) back_url = params[:back_url].to_s - if back_url.present? && valid_back_url?(back_url) - redirect_to(back_url) + if back_url.present? && valid_url = validate_back_url(back_url) + redirect_to(valid_url) return elsif options[:referer] redirect_to_referer_or default @@ -407,8 +407,9 @@ class ApplicationController < ActionController::Base false end - # Returns true if back_url is a valid url for redirection, otherwise false - def valid_back_url?(back_url) + # Returns a validated URL string if back_url is a valid url for redirection, + # otherwise false + def validate_back_url(back_url) if CGI.unescape(back_url).include?('..') return false end @@ -419,19 +420,36 @@ class ApplicationController < ActionController::Base return false end - if uri.host.present? && uri.host != request.host + [:scheme, :host, :port].each do |component| + if uri.send(component).present? && uri.send(component) != request.send(component) + return false + end + uri.send(:"#{component}=", nil) + end + # Always ignore basic user:password in the URL + uri.userinfo = nil + + path = uri.to_s + # Ensure that the remaining URL starts with a slash, followed by a + # non-slash character or the end + if path !~ %r{\A/([^/]|\z)} return false end - if uri.path.match(%r{/(login|account/register)}) + if path.match(%r{/(login|account/register)}) return false end - if relative_url_root.present? && !uri.path.starts_with?(relative_url_root) + if relative_url_root.present? && !path.starts_with?(relative_url_root) return false end - return true + return path + end + private :validate_back_url + + def valid_back_url?(back_url) + !!validate_back_url(back_url) end private :valid_back_url? |