0001-Prevent-open-redirect-to-arbitrary-hosts.patch

Jan from Planio www.plan.io, 2015-04-12 23:38

Download (3.69 KB)

View differences:

app/controllers/application_controller.rb
393 393

  
394 394
  def redirect_back_or_default(default, options={})
395 395
    back_url = params[:back_url].to_s
396
    if back_url.present? && valid_back_url?(back_url)
397
      redirect_to(back_url)
396
    if back_url.present? && valid_url = validate_back_url(back_url)
397
      redirect_to(valid_url)
398 398
      return
399 399
    elsif options[:referer]
400 400
      redirect_to_referer_or default
......
404 404
    false
405 405
  end
406 406

  
407
  # Returns true if back_url is a valid url for redirection, otherwise false
408
  def valid_back_url?(back_url)
407
  # Returns a validated URL string if back_url is a valid url for redirection,
408
  # otherwise false
409
  def validate_back_url(back_url)
409 410
    if CGI.unescape(back_url).include?('..')
410 411
      return false
411 412
    end
......
416 417
      return false
417 418
    end
418 419

  
419
    if uri.host.present? && uri.host != request.host
420
    [:scheme, :host, :port].each do |component|
421
      if uri.send(component).present? && uri.send(component) != request.send(component)
422
        return false
423
      end
424
      uri.send(:"#{component}=", nil)
425
    end
426
    # Always ignore basic user:password in the URL
427
    uri.userinfo = nil
428

  
429
    path = uri.to_s
430
    # Ensure that the remaining URL starts with a slash, followed by a
431
    # non-slash character or the end
432
    if path !~ %r{\A/([^/]|\z)}
420 433
      return false
421 434
    end
422 435

  
423
    if uri.path.match(%r{/(login|account/register)})
436
    if path.match(%r{/(login|account/register)})
424 437
      return false
425 438
    end
426 439

  
427
    if relative_url_root.present? && !uri.path.starts_with?(relative_url_root)
440
    if relative_url_root.present? && !path.starts_with?(relative_url_root)
428 441
      return false
429 442
    end
430 443

  
431
    return true
444
    return path
445
  end
446
  private :validate_back_url
447

  
448
  def valid_back_url?(back_url)
449
    !!validate_back_url(back_url)
432 450
  end
433 451
  private :valid_back_url?
434 452

  
test/functional/account_controller_test.rb
63 63
    # request.uri is "test.host" in test environment
64 64
    back_urls = [
65 65
      'http://test.host/issues/show/1',
66
      'http://test.host/',
66 67
      '/'
67 68
    ]
68 69
    back_urls.each do |back_url|
......
90 91
  def test_login_should_not_redirect_to_another_host
91 92
    back_urls = [
92 93
      'http://test.foo/fake',
93
      '//test.foo/fake'
94
      '//test.foo/fake',
95
      'http://test.host//fake',
96
      'http://test.host/\n//fake',
97
      '//bar@test.foo',
98
      '//test.foo',
99
      '////test.foo',
100
      '@test.foo',
101
      'fake@test.foo'
94 102
    ]
95 103
    back_urls.each do |back_url|
96 104
      post :login, :username => 'jsmith', :password => 'jsmith', :back_url => back_url
97
-