##// END OF EJS Templates
jro_apps » redmine
RSS
Unescape back_url param before calling redirect_to....
Jean-Philippe Lang -
r1891:8a356baf3e32
parent child
Show More
Side by Side Unified
Context file:
r1891:8a356baf3e32 Loading diff...:
Show file before | Show file after | Hide comments
@@ -16,6 +16,7
16 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
16 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
17
17
18 require 'uri'
18 require 'uri'
19 require 'cgi'
19
20
20 class ApplicationController < ActionController::Base
21 class ApplicationController < ActionController::Base
21 layout 'base'
22 layout 'base'
@@ -123,7 +124,7 class ApplicationController < ActionController::Base
123 end
124 end
124
125
125 def redirect_back_or_default(default)
126 def redirect_back_or_default(default)
126 back_url = params[:back_url]
127 back_url = CGI.unescape(params[:back_url].to_s)
127 if !back_url.blank?
128 if !back_url.blank?
128 uri = URI.parse(back_url)
129 uri = URI.parse(back_url)
129 # do not redirect user to another host
130 # do not redirect user to another host
Show file before | Show file after | Hide comments
@@ -194,7 +194,7 class TimelogController < ApplicationController
194 @time_entry.attributes = params[:time_entry]
194 @time_entry.attributes = params[:time_entry]
195 if request.post? and @time_entry.save
195 if request.post? and @time_entry.save
196 flash[:notice] = l(:notice_successful_update)
196 flash[:notice] = l(:notice_successful_update)
197 redirect_to(params[:back_url].blank? ? {:action => 'details', :project_id => @time_entry.project} : params[:back_url])
197 redirect_back_or_default :action => 'details', :project_id => @time_entry.project
198 return
198 return
199 end
199 end
200 end
200 end
Show file before | Show file after | Hide comments
@@ -46,12 +46,12 class AccountControllerTest < Test::Unit::TestCase
46
46
47 def test_login_should_redirect_to_back_url_param
47 def test_login_should_redirect_to_back_url_param
48 # request.uri is "test.host" in test environment
48 # request.uri is "test.host" in test environment
49 post :login, :username => 'jsmith', :password => 'jsmith', :back_url => 'http://test.host/issues/show/1'
49 post :login, :username => 'jsmith', :password => 'jsmith', :back_url => 'http%3A%2F%2Ftest.host%2Fissues%2Fshow%2F1'
50 assert_redirected_to '/issues/show/1'
50 assert_redirected_to '/issues/show/1'
51 end
51 end
52
52
53 def test_login_should_not_redirect_to_another_host
53 def test_login_should_not_redirect_to_another_host
54 post :login, :username => 'jsmith', :password => 'jsmith', :back_url => 'http://test.foo/fake'
54 post :login, :username => 'jsmith', :password => 'jsmith', :back_url => 'http%3A%2F%2Ftest.foo%2Ffake'
55 assert_redirected_to '/my/page'
55 assert_redirected_to '/my/page'
56 end
56 end
57
57
General Comments 0
You need to be logged in to leave comments. Login now