Fixed that back_url=/ param is ignored (#16467).

git-svn-id: http://svn.redmine.org/redmine/trunk@13040 e93f8b46-1217-0410-a6f0-8f06a7374b81
This commit is contained in:
Jean-Philippe Lang 2014-04-05 08:11:28 +00:00
parent e739628c81
commit 380b0515d1
2 changed files with 9 additions and 3 deletions

View File

@ -379,7 +379,7 @@ class ApplicationController < ActionController::Base
begin
uri = URI.parse(back_url)
# do not redirect user to another host or to the login or register page
if ((uri.relative? && back_url.match(%r{\A/\w})) || (uri.host == request.host)) && !uri.path.match(%r{/(login|account/register)})
if ((uri.relative? && back_url.match(%r{\A/(\w.*)?\z})) || (uri.host == request.host)) && !uri.path.match(%r{/(login|account/register)})
redirect_to(back_url)
return
end

View File

@ -61,8 +61,14 @@ class AccountControllerTest < ActionController::TestCase
def test_login_should_redirect_to_back_url_param
# request.uri is "test.host" in test environment
post :login, :username => 'jsmith', :password => 'jsmith', :back_url => 'http://test.host/issues/show/1'
assert_redirected_to '/issues/show/1'
back_urls = [
'http://test.host/issues/show/1',
'/'
]
back_urls.each do |back_url|
post :login, :username => 'jsmith', :password => 'jsmith', :back_url => back_url
assert_redirected_to back_url
end
end
def test_login_should_not_redirect_to_another_host