##// END OF EJS Templates
jro_apps » redmine
RSS
Merged r13213 (#16530)....
Jean-Philippe Lang -
r12950:51e4705d0e11
parent child
Show More
Side by Side Unified
Context file:
r12950:51e4705d0e11 Loading diff...:
Show file before | Show file after | Hide comments
@@ -376,18 +376,9 class ApplicationController < ActionController::Base
376 376
377 377 def redirect_back_or_default(default, options={})
378 378 back_url = params[:back_url].to_s
379 if back_url.present?
380 begin
381 uri = URI.parse(back_url)
382 # do not redirect user to another host or to the login or register page
383 if ((uri.relative? && back_url.match(%r{\A/(\w.*)?\z})) || (uri.host == request.host)) && !uri.path.match(%r{/(login|account/register)})
384 redirect_to(back_url)
385 return
386 end
387 rescue URI::InvalidURIError
388 logger.warn("Could not redirect to invalid URL #{back_url}")
389 # redirect to default
390 end
379 if back_url.present? && valid_back_url?(back_url)
380 redirect_to(back_url)
381 return
391 382 elsif options[:referer]
392 383 redirect_to_referer_or default
393 384 return
@@ -396,6 +387,34 class ApplicationController < ActionController::Base
396 387 false
397 388 end
398 389
390 # Returns true if back_url is a valid url for redirection, otherwise false
391 def valid_back_url?(back_url)
392 if CGI.unescape(back_url).include?('..')
393 return false
394 end
395
396 begin
397 uri = URI.parse(back_url)
398 rescue URI::InvalidURIError
399 return false
400 end
401
402 if uri.host.present? && uri.host != request.host
403 return false
404 end
405
406 if uri.path.match(%r{/(login|account/register)})
407 return false
408 end
409
410 if relative_url_root.present? && !uri.path.starts_with?(relative_url_root)
411 return false
412 end
413
414 return true
415 end
416 private :valid_back_url?
417
399 418 # Redirects to the request referer if present, redirects to args or call block otherwise.
400 419 def redirect_to_referer_or(*args, &block)
401 420 redirect_to :back
Show file before | Show file after | Hide comments
@@ -71,6 +71,22 class AccountControllerTest < ActionController::TestCase
71 71 end
72 72 end
73 73
74 def test_login_with_suburi_should_redirect_to_back_url_param
75 @relative_url_root = ApplicationController.relative_url_root
76 ApplicationController.relative_url_root = '/redmine'
77
78 back_urls = [
79 'http://test.host/redmine/issues/show/1',
80 '/redmine'
81 ]
82 back_urls.each do |back_url|
83 post :login, :username => 'jsmith', :password => 'jsmith', :back_url => back_url
84 assert_redirected_to back_url
85 end
86 ensure
87 ApplicationController.relative_url_root = @relative_url_root
88 end
89
74 90 def test_login_should_not_redirect_to_another_host
75 91 back_urls = [
76 92 'http://test.foo/fake',
@@ -82,6 +98,26 class AccountControllerTest < ActionController::TestCase
82 98 end
83 99 end
84 100
101 def test_login_with_suburi_should_not_redirect_to_another_suburi
102 @relative_url_root = ApplicationController.relative_url_root
103 ApplicationController.relative_url_root = '/redmine'
104
105 back_urls = [
106 'http://test.host/',
107 'http://test.host/fake',
108 'http://test.host/fake/issues',
109 'http://test.host/redmine/../fake',
110 'http://test.host/redmine/../fake/issues',
111 'http://test.host/redmine/%2e%2e/fake'
112 ]
113 back_urls.each do |back_url|
114 post :login, :username => 'jsmith', :password => 'jsmith', :back_url => back_url
115 assert_redirected_to '/my/page'
116 end
117 ensure
118 ApplicationController.relative_url_root = @relative_url_root
119 end
120
85 121 def test_login_with_wrong_password
86 122 post :login, :username => 'admin', :password => 'bad'
87 123 assert_response :success
General Comments 0
You need to be logged in to leave comments. Login now