From 1b20fa3b498d9cd27684acee5fca118e93444e4a Mon Sep 17 00:00:00 2001 From: Jean-Philippe Lang Date: Sat, 29 Mar 2014 14:54:06 +0000 Subject: [PATCH] Merged r13018 (#16466). git-svn-id: http://svn.redmine.org/redmine/branches/2.4-stable@13028 e93f8b46-1217-0410-a6f0-8f06a7374b81 --- app/controllers/application_controller.rb | 2 +- test/functional/account_controller_test.rb | 10 ++++++++-- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index d0a5b0f3d..ddb6e49fa 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -379,7 +379,7 @@ class ApplicationController < ActionController::Base begin uri = URI.parse(back_url) # do not redirect user to another host or to the login or register page - if (uri.relative? || (uri.host == request.host)) && !uri.path.match(%r{/(login|account/register)}) + if ((uri.relative? && back_url.match(%r{\A/\w})) || (uri.host == request.host)) && !uri.path.match(%r{/(login|account/register)}) redirect_to(back_url) return end diff --git a/test/functional/account_controller_test.rb b/test/functional/account_controller_test.rb index 86b7871a4..88713770f 100644 --- a/test/functional/account_controller_test.rb +++ b/test/functional/account_controller_test.rb @@ -48,8 +48,14 @@ class AccountControllerTest < ActionController::TestCase end def test_login_should_not_redirect_to_another_host - post :login, :username => 'jsmith', :password => 'jsmith', :back_url => 'http://test.foo/fake' - assert_redirected_to '/my/page' + back_urls = [ + 'http://test.foo/fake', + '//test.foo/fake' + ] + back_urls.each do |back_url| + post :login, :username => 'jsmith', :password => 'jsmith', :back_url => back_url + assert_redirected_to '/my/page' + end end def test_login_with_wrong_password