Do not use escaped back_url param (#11691).
git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@10239 e93f8b46-1217-0410-a6f0-8f06a7374b81
This commit is contained in:
parent
3cc6d5e815
commit
ebc979e9b1
|
@ -296,12 +296,16 @@ class ApplicationController < ActionController::Base
|
||||||
end
|
end
|
||||||
|
|
||||||
def back_url
|
def back_url
|
||||||
params[:back_url] || request.env['HTTP_REFERER']
|
url = params[:back_url]
|
||||||
|
if url.nil? && referer = request.env['HTTP_REFERER']
|
||||||
|
url = CGI.unescape(referer.to_s)
|
||||||
|
end
|
||||||
|
url
|
||||||
end
|
end
|
||||||
|
|
||||||
def redirect_back_or_default(default)
|
def redirect_back_or_default(default)
|
||||||
back_url = CGI.unescape(params[:back_url].to_s)
|
back_url = params[:back_url].to_s
|
||||||
if !back_url.blank?
|
if back_url.present?
|
||||||
begin
|
begin
|
||||||
uri = URI.parse(back_url)
|
uri = URI.parse(back_url)
|
||||||
# do not redirect user to another host or to the login or register page
|
# do not redirect user to another host or to the login or register page
|
||||||
|
@ -310,6 +314,7 @@ class ApplicationController < ActionController::Base
|
||||||
return
|
return
|
||||||
end
|
end
|
||||||
rescue URI::InvalidURIError
|
rescue URI::InvalidURIError
|
||||||
|
logger.warn("Could not redirect to invalid URL #{back_url}")
|
||||||
# redirect to default
|
# redirect to default
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -1027,10 +1027,17 @@ module ApplicationHelper
|
||||||
content_tag(:a, name, {:href => '#', :onclick => "#{function}; return false;"}.merge(html_options))
|
content_tag(:a, name, {:href => '#', :onclick => "#{function}; return false;"}.merge(html_options))
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def back_url
|
||||||
|
url = params[:back_url]
|
||||||
|
if url.nil? && referer = request.env['HTTP_REFERER']
|
||||||
|
url = CGI.unescape(referer.to_s)
|
||||||
|
end
|
||||||
|
url
|
||||||
|
end
|
||||||
|
|
||||||
def back_url_hidden_field_tag
|
def back_url_hidden_field_tag
|
||||||
back_url = params[:back_url] || request.env['HTTP_REFERER']
|
url = back_url
|
||||||
back_url = CGI.unescape(back_url.to_s)
|
hidden_field_tag('back_url', url, :id => nil) unless url.blank?
|
||||||
hidden_field_tag('back_url', CGI.escape(back_url), :id => nil) unless back_url.blank?
|
|
||||||
end
|
end
|
||||||
|
|
||||||
def check_all_links(form_name)
|
def check_all_links(form_name)
|
||||||
|
|
|
@ -33,12 +33,12 @@ class AccountControllerTest < ActionController::TestCase
|
||||||
|
|
||||||
def test_login_should_redirect_to_back_url_param
|
def test_login_should_redirect_to_back_url_param
|
||||||
# request.uri is "test.host" in test environment
|
# request.uri is "test.host" in test environment
|
||||||
post :login, :username => 'jsmith', :password => 'jsmith', :back_url => 'http%3A%2F%2Ftest.host%2Fissues%2Fshow%2F1'
|
post :login, :username => 'jsmith', :password => 'jsmith', :back_url => 'http://test.host/issues/show/1'
|
||||||
assert_redirected_to '/issues/show/1'
|
assert_redirected_to '/issues/show/1'
|
||||||
end
|
end
|
||||||
|
|
||||||
def test_login_should_not_redirect_to_another_host
|
def test_login_should_not_redirect_to_another_host
|
||||||
post :login, :username => 'jsmith', :password => 'jsmith', :back_url => 'http%3A%2F%2Ftest.foo%2Ffake'
|
post :login, :username => 'jsmith', :password => 'jsmith', :back_url => 'http://test.foo/fake'
|
||||||
assert_redirected_to '/my/page'
|
assert_redirected_to '/my/page'
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue