From 032f2c9be6520d9d1a1608aa4f1d5d1f184f2472 Mon Sep 17 00:00:00 2001
From: Jean-Philippe Lang <jp_lang@yahoo.fr>
Date: Sun, 13 Sep 2015 14:35:20 +0000
Subject: Open redirect vulnerability (#19577).

Patch by Holger Just.

git-svn-id: http://svn.redmine.org/redmine/trunk@14560 e93f8b46-1217-0410-a6f0-8f06a7374b81
---
 test/functional/account_controller_test.rb | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

(limited to 'test/functional/account_controller_test.rb')

diff --git a/test/functional/account_controller_test.rb b/test/functional/account_controller_test.rb
index e7b4c4fc1..362af68a2 100644
--- a/test/functional/account_controller_test.rb
+++ b/test/functional/account_controller_test.rb
@@ -63,6 +63,7 @@ class AccountControllerTest < ActionController::TestCase
     # request.uri is "test.host" in test environment
     back_urls = [
       'http://test.host/issues/show/1',
+      'http://test.host/',
       '/'
     ]
     back_urls.each do |back_url|
@@ -108,7 +109,15 @@ class AccountControllerTest < ActionController::TestCase
       'http://test.host/fake/issues',
       'http://test.host/redmine/../fake',
       'http://test.host/redmine/../fake/issues',
-      'http://test.host/redmine/%2e%2e/fake'
+      'http://test.host/redmine/%2e%2e/fake',
+      '//test.foo/fake',
+      'http://test.host//fake',
+      'http://test.host/\n//fake',
+      '//bar@test.foo',
+      '//test.foo',
+      '////test.foo',
+      '@test.foo',
+      'fake@test.foo'
     ]
     back_urls.each do |back_url|
       post :login, :username => 'jsmith', :password => 'jsmith', :back_url => back_url
-- 
cgit v1.2.3