Fixed back url verification (#16466).
git-svn-id: http://svn.redmine.org/redmine/trunk@13018 e93f8b46-1217-0410-a6f0-8f06a7374b81
This commit is contained in:
parent
cecbb225a2
commit
7567c3d8b2
|
@ -379,7 +379,7 @@ class ApplicationController < ActionController::Base
|
|||
begin
|
||||
uri = URI.parse(back_url)
|
||||
# do not redirect user to another host or to the login or register page
|
||||
if (uri.relative? || (uri.host == request.host)) && !uri.path.match(%r{/(login|account/register)})
|
||||
if ((uri.relative? && back_url.match(%r{\A/\w})) || (uri.host == request.host)) && !uri.path.match(%r{/(login|account/register)})
|
||||
redirect_to(back_url)
|
||||
return
|
||||
end
|
||||
|
|
|
@ -66,9 +66,15 @@ class AccountControllerTest < ActionController::TestCase
|
|||
end
|
||||
|
||||
def test_login_should_not_redirect_to_another_host
|
||||
post :login, :username => 'jsmith', :password => 'jsmith', :back_url => 'http://test.foo/fake'
|
||||
back_urls = [
|
||||
'http://test.foo/fake',
|
||||
'//test.foo/fake'
|
||||
]
|
||||
back_urls.each do |back_url|
|
||||
post :login, :username => 'jsmith', :password => 'jsmith', :back_url => back_url
|
||||
assert_redirected_to '/my/page'
|
||||
end
|
||||
end
|
||||
|
||||
def test_login_with_wrong_password
|
||||
post :login, :username => 'admin', :password => 'bad'
|
||||
|
|
Loading…
Reference in New Issue