##// END OF EJS Templates
jro_apps » redmine
RSS
Merged r13213 (#16530)....
Jean-Philippe Lang -
r12951:6eb875521331
parent child
Show More
Side by Side Unified
Context file:
r12951:6eb875521331 Loading diff...:
Show file before | Show file after | Hide comments
@@ -376,22 +376,41 class ApplicationController < ActionController::Base
376 376
377 377 def redirect_back_or_default(default)
378 378 back_url = params[:back_url].to_s
379 if back_url.present?
380 begin
381 uri = URI.parse(back_url)
382 # do not redirect user to another host or to the login or register page
383 if ((uri.relative? && back_url.match(%r{\A/(\w.*)?\z})) || (uri.host == request.host)) && !uri.path.match(%r{/(login|account/register)})
379 if back_url.present? && valid_back_url?(back_url)
384 380 redirect_to(back_url)
385 381 return
386 382 end
383 redirect_to default
384 false
385 end
386
387 # Returns true if back_url is a valid url for redirection, otherwise false
388 def valid_back_url?(back_url)
389 if CGI.unescape(back_url).include?('..')
390 return false
391 end
392
393 begin
394 uri = URI.parse(back_url)
387 395 rescue URI::InvalidURIError
388 logger.warn("Could not redirect to invalid URL #{back_url}")
389 # redirect to default
396 return false
390 397 end
398
399 if uri.host.present? && uri.host != request.host
400 return false
391 401 end
392 redirect_to default
393 false
402
403 if uri.path.match(%r{/(login|account/register)})
404 return false
405 end
406
407 if relative_url_root.present? && !uri.path.starts_with?(relative_url_root)
408 return false
409 end
410
411 return true
394 412 end
413 private :valid_back_url?
395 414
396 415 # Redirects to the request referer if present, redirects to args or call block otherwise.
397 416 def redirect_to_referer_or(*args, &block)
Show file before | Show file after | Hide comments
@@ -53,6 +53,22 class AccountControllerTest < ActionController::TestCase
53 53 end
54 54 end
55 55
56 def test_login_with_suburi_should_redirect_to_back_url_param
57 @relative_url_root = ApplicationController.relative_url_root
58 ApplicationController.relative_url_root = '/redmine'
59
60 back_urls = [
61 'http://test.host/redmine/issues/show/1',
62 '/redmine'
63 ]
64 back_urls.each do |back_url|
65 post :login, :username => 'jsmith', :password => 'jsmith', :back_url => back_url
66 assert_redirected_to back_url
67 end
68 ensure
69 ApplicationController.relative_url_root = @relative_url_root
70 end
71
56 72 def test_login_should_not_redirect_to_another_host
57 73 back_urls = [
58 74 'http://test.foo/fake',
@@ -64,6 +80,26 class AccountControllerTest < ActionController::TestCase
64 80 end
65 81 end
66 82
83 def test_login_with_suburi_should_not_redirect_to_another_suburi
84 @relative_url_root = ApplicationController.relative_url_root
85 ApplicationController.relative_url_root = '/redmine'
86
87 back_urls = [
88 'http://test.host/',
89 'http://test.host/fake',
90 'http://test.host/fake/issues',
91 'http://test.host/redmine/../fake',
92 'http://test.host/redmine/../fake/issues',
93 'http://test.host/redmine/%2e%2e/fake'
94 ]
95 back_urls.each do |back_url|
96 post :login, :username => 'jsmith', :password => 'jsmith', :back_url => back_url
97 assert_redirected_to '/my/page'
98 end
99 ensure
100 ApplicationController.relative_url_root = @relative_url_root
101 end
102
67 103 def test_login_with_wrong_password
68 104 post :login, :username => 'admin', :password => 'bad'
69 105 assert_response :success
General Comments 0
You need to be logged in to leave comments. Login now