##// END OF EJS Templates
Merged r14560 and r14561 (#19577)....
Jean-Philippe Lang -
r14180:e9c144c7defa
parent child
Show More
@@ -396,8 +396,8 class ApplicationController < ActionController::Base
396 396
397 397 def redirect_back_or_default(default, options={})
398 398 back_url = params[:back_url].to_s
399 if back_url.present? && valid_back_url?(back_url)
400 redirect_to(back_url)
399 if back_url.present? && valid_url = validate_back_url(back_url)
400 redirect_to(valid_url)
401 401 return
402 402 elsif options[:referer]
403 403 redirect_to_referer_or default
@@ -407,8 +407,9 class ApplicationController < ActionController::Base
407 407 false
408 408 end
409 409
410 # Returns true if back_url is a valid url for redirection, otherwise false
411 def valid_back_url?(back_url)
410 # Returns a validated URL string if back_url is a valid url for redirection,
411 # otherwise false
412 def validate_back_url(back_url)
412 413 if CGI.unescape(back_url).include?('..')
413 414 return false
414 415 end
@@ -419,19 +420,36 class ApplicationController < ActionController::Base
419 420 return false
420 421 end
421 422
422 if uri.host.present? && uri.host != request.host
423 [:scheme, :host, :port].each do |component|
424 if uri.send(component).present? && uri.send(component) != request.send(component)
425 return false
426 end
427 uri.send(:"#{component}=", nil)
428 end
429 # Always ignore basic user:password in the URL
430 uri.userinfo = nil
431
432 path = uri.to_s
433 # Ensure that the remaining URL starts with a slash, followed by a
434 # non-slash character or the end
435 if path !~ %r{\A/([^/]|\z)}
423 436 return false
424 437 end
425 438
426 if uri.path.match(%r{/(login|account/register)})
439 if path.match(%r{/(login|account/register)})
427 440 return false
428 441 end
429 442
430 if relative_url_root.present? && !uri.path.starts_with?(relative_url_root)
443 if relative_url_root.present? && !path.starts_with?(relative_url_root)
431 444 return false
432 445 end
433 446
434 return true
447 return path
448 end
449 private :validate_back_url
450
451 def valid_back_url?(back_url)
452 !!validate_back_url(back_url)
435 453 end
436 454 private :valid_back_url?
437 455
@@ -63,6 +63,7 class AccountControllerTest < ActionController::TestCase
63 63 # request.uri is "test.host" in test environment
64 64 back_urls = [
65 65 'http://test.host/issues/show/1',
66 'http://test.host/',
66 67 '/'
67 68 ]
68 69 back_urls.each do |back_url|
@@ -108,7 +109,16 class AccountControllerTest < ActionController::TestCase
108 109 'http://test.host/fake/issues',
109 110 'http://test.host/redmine/../fake',
110 111 'http://test.host/redmine/../fake/issues',
111 'http://test.host/redmine/%2e%2e/fake'
112 'http://test.host/redmine/%2e%2e/fake',
113 '//test.foo/fake',
114 'http://test.host//fake',
115 'http://test.host/\n//fake',
116 '//bar@test.foo',
117 '//test.foo',
118 '////test.foo',
119 '@test.foo',
120 'fake@test.foo',
121 '.test.foo'
112 122 ]
113 123 back_urls.each do |back_url|
114 124 post :login, :username => 'jsmith', :password => 'jsmith', :back_url => back_url
General Comments 0
You need to be logged in to leave comments. Login now