##// END OF EJS Templates
jro_apps » redmine
RSS
Merged r13213 (#16530)....
Jean-Philippe Lang -
r12951:6eb875521331
parent child
Show More
Side by Side Unified
Context file:
r12951:6eb875521331 Loading diff...:
Show file before | Show file after | Hide comments
@@ -376,23 +376,42 class ApplicationController < ActionController::Base
376
376
377 def redirect_back_or_default(default)
377 def redirect_back_or_default(default)
378 back_url = params[:back_url].to_s
378 back_url = params[:back_url].to_s
379 if back_url.present?
379 if back_url.present? && valid_back_url?(back_url)
380 begin
380 redirect_to(back_url)
381 uri = URI.parse(back_url)
381 return
382 # do not redirect user to another host or to the login or register page
383 if ((uri.relative? && back_url.match(%r{\A/(\w.*)?\z})) || (uri.host == request.host)) && !uri.path.match(%r{/(login|account/register)})
384 redirect_to(back_url)
385 return
386 end
387 rescue URI::InvalidURIError
388 logger.warn("Could not redirect to invalid URL #{back_url}")
389 # redirect to default
390 end
391 end
382 end
392 redirect_to default
383 redirect_to default
393 false
384 false
394 end
385 end
395
386
387 # Returns true if back_url is a valid url for redirection, otherwise false
388 def valid_back_url?(back_url)
389 if CGI.unescape(back_url).include?('..')
390 return false
391 end
392
393 begin
394 uri = URI.parse(back_url)
395 rescue URI::InvalidURIError
396 return false
397 end
398
399 if uri.host.present? && uri.host != request.host
400 return false
401 end
402
403 if uri.path.match(%r{/(login|account/register)})
404 return false
405 end
406
407 if relative_url_root.present? && !uri.path.starts_with?(relative_url_root)
408 return false
409 end
410
411 return true
412 end
413 private :valid_back_url?
414
396 # Redirects to the request referer if present, redirects to args or call block otherwise.
415 # Redirects to the request referer if present, redirects to args or call block otherwise.
397 def redirect_to_referer_or(*args, &block)
416 def redirect_to_referer_or(*args, &block)
398 redirect_to :back
417 redirect_to :back
Show file before | Show file after | Hide comments
@@ -53,6 +53,22 class AccountControllerTest < ActionController::TestCase
53 end
53 end
54 end
54 end
55
55
56 def test_login_with_suburi_should_redirect_to_back_url_param
57 @relative_url_root = ApplicationController.relative_url_root
58 ApplicationController.relative_url_root = '/redmine'
59
60 back_urls = [
61 'http://test.host/redmine/issues/show/1',
62 '/redmine'
63 ]
64 back_urls.each do |back_url|
65 post :login, :username => 'jsmith', :password => 'jsmith', :back_url => back_url
66 assert_redirected_to back_url
67 end
68 ensure
69 ApplicationController.relative_url_root = @relative_url_root
70 end
71
56 def test_login_should_not_redirect_to_another_host
72 def test_login_should_not_redirect_to_another_host
57 back_urls = [
73 back_urls = [
58 'http://test.foo/fake',
74 'http://test.foo/fake',
@@ -64,6 +80,26 class AccountControllerTest < ActionController::TestCase
64 end
80 end
65 end
81 end
66
82
83 def test_login_with_suburi_should_not_redirect_to_another_suburi
84 @relative_url_root = ApplicationController.relative_url_root
85 ApplicationController.relative_url_root = '/redmine'
86
87 back_urls = [
88 'http://test.host/',
89 'http://test.host/fake',
90 'http://test.host/fake/issues',
91 'http://test.host/redmine/../fake',
92 'http://test.host/redmine/../fake/issues',
93 'http://test.host/redmine/%2e%2e/fake'
94 ]
95 back_urls.each do |back_url|
96 post :login, :username => 'jsmith', :password => 'jsmith', :back_url => back_url
97 assert_redirected_to '/my/page'
98 end
99 ensure
100 ApplicationController.relative_url_root = @relative_url_root
101 end
102
67 def test_login_with_wrong_password
103 def test_login_with_wrong_password
68 post :login, :username => 'admin', :password => 'bad'
104 post :login, :username => 'admin', :password => 'bad'
69 assert_response :success
105 assert_response :success
General Comments 0
You need to be logged in to leave comments. Login now