| @@ -379,7 +379,7 class ApplicationController < ActionController::Base | |||
|
|
379 | 379 | begin |
|
|
380 | 380 | uri = URI.parse(back_url) |
|
|
381 | 381 | # do not redirect user to another host or to the login or register page |
|
|
382 | if ((uri.relative? && back_url.match(%r{\A/\w})) || (uri.host == request.host)) && !uri.path.match(%r{/(login|account/register)}) | |
|
|
382 | if ((uri.relative? && back_url.match(%r{\A/(\w.*)?\z})) || (uri.host == request.host)) && !uri.path.match(%r{/(login|account/register)}) | |
|
|
383 | 383 | redirect_to(back_url) |
|
|
384 | 384 | return |
|
|
385 | 385 | end |
| @@ -43,8 +43,14 class AccountControllerTest < ActionController::TestCase | |||
|
|
43 | 43 | |
|
|
44 | 44 | def test_login_should_redirect_to_back_url_param |
|
|
45 | 45 | # request.uri is "test.host" in test environment |
|
|
46 | post :login, :username => 'jsmith', :password => 'jsmith', :back_url => 'http://test.host/issues/show/1' | |
|
|
47 |
|
|
|
|
46 | back_urls = [ | |
|
|
47 | 'http://test.host/issues/show/1', | |
|
|
48 | '/' | |
|
|
49 | ] | |
|
|
50 | back_urls.each do |back_url| | |
|
|
51 | post :login, :username => 'jsmith', :password => 'jsmith', :back_url => back_url | |
|
|
52 | assert_redirected_to back_url | |
|
|
53 | end | |
|
|
48 | 54 | end |
|
|
49 | 55 | |
|
|
50 | 56 | def test_login_should_not_redirect_to_another_host |
General Comments 0
You need to be logged in to leave comments.
Login now