SECURITY: Only redirect to our host by path on the login action

This commit is contained in:
Robin Ward 2014-08-28 17:45:13 -04:00
parent 9e2c72e277
commit 85c6eb9b08
2 changed files with 35 additions and 6 deletions

View file

@ -54,13 +54,21 @@ class StaticController < ApplicationController
params.delete(:username)
params.delete(:password)
redirect_to(
if params[:redirect].blank? || params[:redirect].match(login_path)
"/"
else
params[:redirect]
destination = "/"
if params[:redirect].present? && !params[:redirect].match(login_path)
begin
forum_uri = URI(Discourse.base_url)
uri = URI(params[:redirect])
if uri.path.present? && (uri.host.blank? || uri.host == forum_uri.host)
destination = uri.path
end
rescue URI::InvalidURIError
# Do nothing if the URI is invalid
end
)
end
redirect_to destination
end
skip_before_filter :verify_authenticity_token, only: [:cdn_asset]

View file

@ -82,6 +82,27 @@ describe StaticController do
end
end
context 'with a full url' do
it 'redirects to the correct path' do
xhr :post, :enter, redirect: "#{Discourse.base_url}/foo"
expect(response).to redirect_to '/foo'
end
end
context 'with a full url to someone else' do
it 'redirects to the root path' do
xhr :post, :enter, redirect: "http://eviltrout.com/foo"
expect(response).to redirect_to '/'
end
end
context 'with an invalid URL' do
it "redirects to the root" do
xhr :post, :enter, redirect: "javascript:alert('trout')"
expect(response).to redirect_to '/'
end
end
context 'when the redirect path is the login page' do
it 'redirects to the root url' do
xhr :post, :enter, redirect: login_path