From 316f1bea04d2d8b7c5789c64ad2da859fd9afc20 Mon Sep 17 00:00:00 2001
From: Robin Ward <robin.ward@gmail.com>
Date: Thu, 30 Oct 2014 11:31:44 -0400
Subject: [PATCH] SECURITY: Don't allow redirects with periods in case you
 don't control other tlds on the same domain.

---
 app/controllers/static_controller.rb       | 4 +++-
 spec/controllers/static_controller_spec.rb | 7 +++++++
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/app/controllers/static_controller.rb b/app/controllers/static_controller.rb
index 98956299b..41c66bd98 100644
--- a/app/controllers/static_controller.rb
+++ b/app/controllers/static_controller.rb
@@ -65,7 +65,9 @@ class StaticController < ApplicationController
       begin
         forum_uri = URI(Discourse.base_url)
         uri = URI(params[:redirect])
-        if uri.path.present? && (uri.host.blank? || uri.host == forum_uri.host)
+        if uri.path.present? &&
+           (uri.host.blank? || uri.host == forum_uri.host) &&
+           uri.path !~ /\./
           destination = uri.path
         end
       rescue URI::InvalidURIError
diff --git a/spec/controllers/static_controller_spec.rb b/spec/controllers/static_controller_spec.rb
index 86c185503..9621593d9 100644
--- a/spec/controllers/static_controller_spec.rb
+++ b/spec/controllers/static_controller_spec.rb
@@ -89,6 +89,13 @@ describe StaticController do
       end
     end
 
+    context 'with a period to force a new host' do
+      it 'redirects to the root path' do
+        xhr :post, :enter, redirect: ".org/foo"
+        expect(response).to redirect_to '/'
+      end
+    end
+
     context 'with a full url to someone else' do
       it 'redirects to the root path' do
         xhr :post, :enter, redirect: "http://eviltrout.com/foo"