| @@ -379,7 +379,7 class ApplicationController < ActionController::Base | |||||
| 379 | begin |
|
379 | begin | |
| 380 | uri = URI.parse(back_url) |
|
380 | uri = URI.parse(back_url) | |
| 381 | # do not redirect user to another host or to the login or register page |
|
381 | # do not redirect user to another host or to the login or register page | |
| 382 | if (uri.relative? || (uri.host == request.host)) && !uri.path.match(%r{/(login|account/register)}) |
|
382 | if ((uri.relative? && back_url.match(%r{\A/\w})) || (uri.host == request.host)) && !uri.path.match(%r{/(login|account/register)}) | |
| 383 | redirect_to(back_url) |
|
383 | redirect_to(back_url) | |
| 384 | return |
|
384 | return | |
| 385 | end |
|
385 | end | |
| @@ -48,8 +48,14 class AccountControllerTest < ActionController::TestCase | |||||
| 48 | end |
|
48 | end | |
| 49 |
|
49 | |||
| 50 | def test_login_should_not_redirect_to_another_host |
|
50 | def test_login_should_not_redirect_to_another_host | |
| 51 | post :login, :username => 'jsmith', :password => 'jsmith', :back_url => 'http://test.foo/fake' |
|
51 | back_urls = [ | |
| 52 | assert_redirected_to '/my/page' |
|
52 | 'http://test.foo/fake', | |
|
|
53 | '//test.foo/fake' | |||
|
|
54 | ] | |||
|
|
55 | back_urls.each do |back_url| | |||
|
|
56 | post :login, :username => 'jsmith', :password => 'jsmith', :back_url => back_url | |||
|
|
57 | assert_redirected_to '/my/page' | |||
|
|
58 | end | |||
| 53 | end |
|
59 | end | |
| 54 |
|
60 | |||
| 55 | def test_login_with_wrong_password |
|
61 | def test_login_with_wrong_password | |
General Comments 0
You need to be logged in to leave comments.
Login now