diff options
| author | Jean-Philippe Lang <jp_lang@yahoo.fr> | 2020-04-05 08:04:27 +0000 |
|---|---|---|
| committer | Jean-Philippe Lang <jp_lang@yahoo.fr> | 2020-04-05 08:04:27 +0000 |
| commit | 882d87327b41577ec4e0aa10435237cb691ffc39 (patch) | |
| tree | a761771410051732d7ceb12d3ef7716736df9428 /app | |
| parent | 06e538861a2dd176d29faa24dd630d1dbc38d2e3 (diff) | |
| download | redmine-882d87327b41577ec4e0aa10435237cb691ffc39.tar.gz redmine-882d87327b41577ec4e0aa10435237cb691ffc39.zip | |
Merged r19486 to 19488 to 4.1-stable (#32850).
git-svn-id: http://svn.redmine.org/redmine/branches/4.1-stable@19647 e93f8b46-1217-0410-a6f0-8f06a7374b81
Diffstat (limited to 'app')
| -rw-r--r-- | app/controllers/application_controller.rb | 15 | ||||
| -rw-r--r-- | app/helpers/application_helper.rb | 17 |
2 files changed, 14 insertions, 18 deletions
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 02612e36f..f095ac7cf 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -415,14 +415,19 @@ class ApplicationController < ActionController::Base url = params[:back_url] if url.nil? && referer = request.env['HTTP_REFERER'] url = CGI.unescape(referer.to_s) + # URLs that contains the utf8=[checkmark] parameter added by Rails are + # parsed as invalid by URI.parse so the redirect to the back URL would + # not be accepted (ApplicationController#validate_back_url would return + # false) + url.gsub!(/(\?|&)utf8=\u2713&?/, '\1') end url end + helper_method :back_url def redirect_back_or_default(default, options={}) - back_url = params[:back_url].to_s - if back_url.present? && valid_url = validate_back_url(back_url) - redirect_to(valid_url) + if back_url = validate_back_url(params[:back_url].to_s) + redirect_to(back_url) return elsif options[:referer] redirect_to_referer_or default @@ -435,6 +440,8 @@ class ApplicationController < ActionController::Base # Returns a validated URL string if back_url is a valid url for redirection, # otherwise false def validate_back_url(back_url) + return false if back_url.blank? + if CGI.unescape(back_url).include?('..') return false end @@ -472,11 +479,13 @@ class ApplicationController < ActionController::Base return path end private :validate_back_url + helper_method :validate_back_url def valid_back_url?(back_url) !!validate_back_url(back_url) end private :valid_back_url? + helper_method :valid_back_url? # Redirects to the request referer if present, redirects to args or call block otherwise. def redirect_to_referer_or(*args, &block) diff --git a/app/helpers/application_helper.rb b/app/helpers/application_helper.rb index e13825082..966a256b5 100644 --- a/app/helpers/application_helper.rb +++ b/app/helpers/application_helper.rb @@ -1415,26 +1415,13 @@ module ApplicationHelper arg.to_json.to_s.gsub('/', '\/').html_safe end - def back_url - url = params[:back_url] - if url.nil? && referer = request.env['HTTP_REFERER'] - url = CGI.unescape(referer.to_s) - # URLs that contains the utf8=[checkmark] parameter added by Rails are - # parsed as invalid by URI.parse so the redirect to the back URL would - # not be accepted (ApplicationController#validate_back_url would return - # false) - url.gsub!(/(\?|&)utf8=\u2713&?/, '\1') - end - url - end - def back_url_hidden_field_tag - url = back_url + url = validate_back_url(back_url) hidden_field_tag('back_url', url, :id => nil) unless url.blank? end def cancel_button_tag(fallback_url) - url = back_url.blank? ? fallback_url : back_url + url = validate_back_url(back_url) || fallback_url link_to l(:button_cancel), url end |