From 85c6eb9b085ac583f0122d3186a964c3509c4360 Mon Sep 17 00:00:00 2001 From: Robin Ward Date: Thu, 28 Aug 2014 17:45:13 -0400 Subject: [PATCH] SECURITY: Only redirect to our host by path on the login action --- app/controllers/static_controller.rb | 20 ++++++++++++++------ spec/controllers/static_controller_spec.rb | 21 +++++++++++++++++++++ 2 files changed, 35 insertions(+), 6 deletions(-) diff --git a/app/controllers/static_controller.rb b/app/controllers/static_controller.rb index f29c24b63..3a452362c 100644 --- a/app/controllers/static_controller.rb +++ b/app/controllers/static_controller.rb @@ -54,13 +54,21 @@ class StaticController < ApplicationController params.delete(:username) params.delete(:password) - redirect_to( - if params[:redirect].blank? || params[:redirect].match(login_path) - "/" - else - params[:redirect] + destination = "/" + + if params[:redirect].present? && !params[:redirect].match(login_path) + begin + forum_uri = URI(Discourse.base_url) + uri = URI(params[:redirect]) + if uri.path.present? && (uri.host.blank? || uri.host == forum_uri.host) + destination = uri.path + end + rescue URI::InvalidURIError + # Do nothing if the URI is invalid end - ) + end + + redirect_to destination end skip_before_filter :verify_authenticity_token, only: [:cdn_asset] diff --git a/spec/controllers/static_controller_spec.rb b/spec/controllers/static_controller_spec.rb index 4b1a63805..86c185503 100644 --- a/spec/controllers/static_controller_spec.rb +++ b/spec/controllers/static_controller_spec.rb @@ -82,6 +82,27 @@ describe StaticController do end end + context 'with a full url' do + it 'redirects to the correct path' do + xhr :post, :enter, redirect: "#{Discourse.base_url}/foo" + expect(response).to redirect_to '/foo' + end + end + + context 'with a full url to someone else' do + it 'redirects to the root path' do + xhr :post, :enter, redirect: "http://eviltrout.com/foo" + expect(response).to redirect_to '/' + end + end + + context 'with an invalid URL' do + it "redirects to the root" do + xhr :post, :enter, redirect: "javascript:alert('trout')" + expect(response).to redirect_to '/' + end + end + context 'when the redirect path is the login page' do it 'redirects to the root url' do xhr :post, :enter, redirect: login_path