From ebc979e9b1b70bab7bce5079ab7d19b333274514 Mon Sep 17 00:00:00 2001 From: Jean-Philippe Lang Date: Sun, 26 Aug 2012 10:40:09 +0000 Subject: [PATCH] Do not use escaped back_url param (#11691). git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@10239 e93f8b46-1217-0410-a6f0-8f06a7374b81 --- app/controllers/application_controller.rb | 11 ++++++++--- app/helpers/application_helper.rb | 13 ++++++++++--- test/functional/account_controller_test.rb | 4 ++-- 3 files changed, 20 insertions(+), 8 deletions(-) diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index d6efa4124..aacb8e523 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -296,12 +296,16 @@ class ApplicationController < ActionController::Base end def back_url - params[:back_url] || request.env['HTTP_REFERER'] + url = params[:back_url] + if url.nil? && referer = request.env['HTTP_REFERER'] + url = CGI.unescape(referer.to_s) + end + url end def redirect_back_or_default(default) - back_url = CGI.unescape(params[:back_url].to_s) - if !back_url.blank? + back_url = params[:back_url].to_s + if back_url.present? begin uri = URI.parse(back_url) # do not redirect user to another host or to the login or register page @@ -310,6 +314,7 @@ class ApplicationController < ActionController::Base return end rescue URI::InvalidURIError + logger.warn("Could not redirect to invalid URL #{back_url}") # redirect to default end end diff --git a/app/helpers/application_helper.rb b/app/helpers/application_helper.rb index cfa9cb5ab..2706cef78 100644 --- a/app/helpers/application_helper.rb +++ b/app/helpers/application_helper.rb @@ -1027,10 +1027,17 @@ module ApplicationHelper content_tag(:a, name, {:href => '#', :onclick => "#{function}; return false;"}.merge(html_options)) end + def back_url + url = params[:back_url] + if url.nil? && referer = request.env['HTTP_REFERER'] + url = CGI.unescape(referer.to_s) + end + url + end + def back_url_hidden_field_tag - back_url = params[:back_url] || request.env['HTTP_REFERER'] - back_url = CGI.unescape(back_url.to_s) - hidden_field_tag('back_url', CGI.escape(back_url), :id => nil) unless back_url.blank? + url = back_url + hidden_field_tag('back_url', url, :id => nil) unless url.blank? end def check_all_links(form_name) diff --git a/test/functional/account_controller_test.rb b/test/functional/account_controller_test.rb index f48e4b3a6..7b5a449e5 100644 --- a/test/functional/account_controller_test.rb +++ b/test/functional/account_controller_test.rb @@ -33,12 +33,12 @@ class AccountControllerTest < ActionController::TestCase def test_login_should_redirect_to_back_url_param # request.uri is "test.host" in test environment - post :login, :username => 'jsmith', :password => 'jsmith', :back_url => 'http%3A%2F%2Ftest.host%2Fissues%2Fshow%2F1' + post :login, :username => 'jsmith', :password => 'jsmith', :back_url => 'http://test.host/issues/show/1' assert_redirected_to '/issues/show/1' end def test_login_should_not_redirect_to_another_host - post :login, :username => 'jsmith', :password => 'jsmith', :back_url => 'http%3A%2F%2Ftest.foo%2Ffake' + post :login, :username => 'jsmith', :password => 'jsmith', :back_url => 'http://test.foo/fake' assert_redirected_to '/my/page' end