Do not use escaped back_url param (#11691).

git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@10239 e93f8b46-1217-0410-a6f0-8f06a7374b81
2012-08-26 10:40:09 +00:00 · 2012-08-26 10:40:09 +00:00 · ebc979e9b1
parent 3cc6d5e815
commit ebc979e9b1
3 changed files with 20 additions and 8 deletions
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@ -296,12 +296,16 @@ class ApplicationController < ActionController::Base
  end

  def back_url
-    params[:back_url] || request.env['HTTP_REFERER']
+    url = params[:back_url]
+    if url.nil? && referer = request.env['HTTP_REFERER']
+      url = CGI.unescape(referer.to_s)
+    end
+    url
  end

  def redirect_back_or_default(default)
-    back_url = CGI.unescape(params[:back_url].to_s)
-    if !back_url.blank?
+    back_url = params[:back_url].to_s
+    if back_url.present?
      begin
        uri = URI.parse(back_url)
        # do not redirect user to another host or to the login or register page
@ -310,6 +314,7 @@ class ApplicationController < ActionController::Base
          return
        end
      rescue URI::InvalidURIError
+        logger.warn("Could not redirect to invalid URL #{back_url}")
        # redirect to default
      end
    end
--- a/app/helpers/application_helper.rb
+++ b/app/helpers/application_helper.rb
@ -1027,10 +1027,17 @@ module ApplicationHelper
    content_tag(:a, name, {:href => '#', :onclick => "#{function}; return false;"}.merge(html_options))
  end

+  def back_url
+    url = params[:back_url]
+    if url.nil? && referer = request.env['HTTP_REFERER']
+      url = CGI.unescape(referer.to_s)
+    end
+    url
+  end
+
  def back_url_hidden_field_tag
-    back_url = params[:back_url] || request.env['HTTP_REFERER']
-    back_url = CGI.unescape(back_url.to_s)
-    hidden_field_tag('back_url', CGI.escape(back_url), :id => nil) unless back_url.blank?
+    url = back_url
+    hidden_field_tag('back_url', url, :id => nil) unless url.blank?
  end

  def check_all_links(form_name)
--- a/test/functional/account_controller_test.rb
+++ b/test/functional/account_controller_test.rb
@ -33,12 +33,12 @@ class AccountControllerTest < ActionController::TestCase

  def test_login_should_redirect_to_back_url_param
    # request.uri is "test.host" in test environment
-    post :login, :username => 'jsmith', :password => 'jsmith', :back_url => 'http%3A%2F%2Ftest.host%2Fissues%2Fshow%2F1'
+    post :login, :username => 'jsmith', :password => 'jsmith', :back_url => 'http://test.host/issues/show/1'
    assert_redirected_to '/issues/show/1'
  end

  def test_login_should_not_redirect_to_another_host
-    post :login, :username => 'jsmith', :password => 'jsmith', :back_url => 'http%3A%2F%2Ftest.foo%2Ffake'
+    post :login, :username => 'jsmith', :password => 'jsmith', :back_url => 'http://test.foo/fake'
    assert_redirected_to '/my/page'
  end