codeninjasllc/discourse
1
0
Fork 0
mirror of https://github.com/codeninjasllc/discourse.git synced 2024-11-27 17:46:05 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

SECURITY: Don't allow redirects with periods in case you don't control

Browse source 
other tlds on the same domain.
This commit is contained in:
Robin Ward 2014-10-30 11:31:44 -04:00
parent 59cc2476a1
commit 316f1bea04
2 changed files with 10 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
app/controllers/static_controller.rb
View file

@ -65,7 +65,9 @@ class StaticController < ApplicationController
begin begin
forum_uri = URI(Discourse.base_url) forum_uri = URI(Discourse.base_url)
uri = URI(params[:redirect]) uri = URI(params[:redirect])
if uri.path.present? && (uri.host.blank? || uri.host == forum_uri.host) if uri.path.present? &&
(uri.host.blank? || uri.host == forum_uri.host) &&
uri.path !~ /\./
destination = uri.path destination = uri.path
end end
rescue URI::InvalidURIError rescue URI::InvalidURIError

7
spec/controllers/static_controller_spec.rb
View file

@ -89,6 +89,13 @@ describe StaticController do
end end
end end
context 'with a period to force a new host' do
it 'redirects to the root path' do
xhr :post, :enter, redirect: ".org/foo"
expect(response).to redirect_to '/'
end
end
context 'with a full url to someone else' do context 'with a full url to someone else' do
it 'redirects to the root path' do it 'redirects to the root path' do
xhr :post, :enter, redirect: "http://eviltrout.com/foo" xhr :post, :enter, redirect: "http://eviltrout.com/foo"