From d2973a641ec8db23af79270a3cea56f48eb1fdf5 Mon Sep 17 00:00:00 2001
From: Eric Davis <edavis@littlestreamsoftware.com>
Date: Thu, 28 Apr 2011 14:39:19 -0700
Subject: [PATCH] [#347] Fix potential Execution After Redirect bugs
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Execution After Redirect (EAR) happens when redirect in a controller is
triggered but there still is code that is executed in the action.

Contributed by Adam Doupé
---
 app/controllers/application_controller.rb     |  1 +
 app/controllers/custom_fields_controller.rb   |  6 ++++--
 app/controllers/enumerations_controller.rb    |  2 ++
 .../issue_categories_controller.rb            |  2 ++
 app/controllers/roles_controller.rb           |  8 ++++---
 app/controllers/settings_controller.rb        | 21 ++++++++++---------
 6 files changed, 25 insertions(+), 15 deletions(-)

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 10c7b653..58f9f805 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -274,6 +274,7 @@ class ApplicationController < ActionController::Base
       end
     end
     redirect_to default
+    false
   end
   
   def render_403(options={})
diff --git a/app/controllers/custom_fields_controller.rb b/app/controllers/custom_fields_controller.rb
index 51457e74..cfcf7db7 100644
--- a/app/controllers/custom_fields_controller.rb
+++ b/app/controllers/custom_fields_controller.rb
@@ -38,8 +38,9 @@ class CustomFieldsController < ApplicationController
       flash[:notice] = l(:notice_successful_create)
       call_hook(:controller_custom_fields_new_after_save, :params => params, :custom_field => @custom_field)
       redirect_to :action => 'index', :tab => @custom_field.class.name
+    else
+      @trackers = Tracker.find(:all, :order => 'position')
     end
-    @trackers = Tracker.find(:all, :order => 'position')
   end
 
   def edit
@@ -48,8 +49,9 @@ class CustomFieldsController < ApplicationController
       flash[:notice] = l(:notice_successful_update)
       call_hook(:controller_custom_fields_edit_after_save, :params => params, :custom_field => @custom_field)
       redirect_to :action => 'index', :tab => @custom_field.class.name
+    else
+      @trackers = Tracker.find(:all, :order => 'position')
     end
-    @trackers = Tracker.find(:all, :order => 'position')
   end
   
   def destroy
diff --git a/app/controllers/enumerations_controller.rb b/app/controllers/enumerations_controller.rb
index e5b50c87..539a221f 100644
--- a/app/controllers/enumerations_controller.rb
+++ b/app/controllers/enumerations_controller.rb
@@ -75,10 +75,12 @@ class EnumerationsController < ApplicationController
       # No associated objects
       @enumeration.destroy
       redirect_to :action => 'index'
+      return
     elsif params[:reassign_to_id]
       if reassign_to = @enumeration.class.find_by_id(params[:reassign_to_id])
         @enumeration.destroy(reassign_to)
         redirect_to :action => 'index'
+        return
       end
     end
     @enumerations = @enumeration.class.find(:all) - [@enumeration]
diff --git a/app/controllers/issue_categories_controller.rb b/app/controllers/issue_categories_controller.rb
index a43a767b..049ef07f 100644
--- a/app/controllers/issue_categories_controller.rb
+++ b/app/controllers/issue_categories_controller.rb
@@ -65,10 +65,12 @@ class IssueCategoriesController < ApplicationController
       # No issue assigned to this category
       @category.destroy
       redirect_to :controller => 'projects', :action => 'settings', :id => @project, :tab => 'categories'
+      return
     elsif params[:todo]
       reassign_to = @project.issue_categories.find_by_id(params[:reassign_to_id]) if params[:todo] == 'reassign'
       @category.destroy(reassign_to)
       redirect_to :controller => 'projects', :action => 'settings', :id => @project, :tab => 'categories'
+      return
     end
     @categories = @project.issue_categories - [@category]
   end
diff --git a/app/controllers/roles_controller.rb b/app/controllers/roles_controller.rb
index 0809f904..efb08497 100644
--- a/app/controllers/roles_controller.rb
+++ b/app/controllers/roles_controller.rb
@@ -38,9 +38,10 @@ class RolesController < ApplicationController
       end
       flash[:notice] = l(:notice_successful_create)
       redirect_to :action => 'index'
+    else
+      @permissions = @role.setable_permissions
+      @roles = Role.find :all, :order => 'builtin, position'
     end
-    @permissions = @role.setable_permissions
-    @roles = Role.find :all, :order => 'builtin, position'
   end
 
   def edit
@@ -48,8 +49,9 @@ class RolesController < ApplicationController
     if request.post? and @role.update_attributes(params[:role])
       flash[:notice] = l(:notice_successful_update)
       redirect_to :action => 'index'
+    else
+      @permissions = @role.setable_permissions  
     end
-    @permissions = @role.setable_permissions
   end
 
   def destroy
diff --git a/app/controllers/settings_controller.rb b/app/controllers/settings_controller.rb
index 804a7fda..a4dcadf2 100644
--- a/app/controllers/settings_controller.rb
+++ b/app/controllers/settings_controller.rb
@@ -36,16 +36,16 @@ class SettingsController < ApplicationController
       end
       flash[:notice] = l(:notice_successful_update)
       redirect_to :action => 'edit', :tab => params[:tab]
-      return
-    end
-    @options = {}
-    @options[:user_format] = User::USER_FORMATS.keys.collect {|f| [User.current.name(f), f.to_s] }
-    @deliveries = ActionMailer::Base.perform_deliveries
+    else
+      @options = {}
+      @options[:user_format] = User::USER_FORMATS.keys.collect {|f| [User.current.name(f), f.to_s] }
+      @deliveries = ActionMailer::Base.perform_deliveries
 
-    @guessed_host_and_path = request.host_with_port.dup
-    @guessed_host_and_path << ('/'+ Redmine::Utils.relative_url_root.gsub(%r{^\/}, '')) unless Redmine::Utils.relative_url_root.blank?
+      @guessed_host_and_path = request.host_with_port.dup
+      @guessed_host_and_path << ('/'+ Redmine::Utils.relative_url_root.gsub(%r{^\/}, '')) unless Redmine::Utils.relative_url_root.blank?
     
-    Redmine::Themes.rescan
+      Redmine::Themes.rescan
+    end
   end
 
   def plugin
@@ -54,9 +54,10 @@ class SettingsController < ApplicationController
       Setting["plugin_#{@plugin.id}"] = params[:settings]
       flash[:notice] = l(:notice_successful_update)
       redirect_to :action => 'plugin', :id => @plugin.id
+    else
+      @partial = @plugin.settings[:partial]
+      @settings = Setting["plugin_#{@plugin.id}"]
     end
-    @partial = @plugin.settings[:partial]
-    @settings = Setting["plugin_#{@plugin.id}"]
   rescue Redmine::PluginNotFound
     render_404
   end