SECURITY: Don't allow redirects with periods in case you don't control

other tlds on the same domain.
2024-11-23 03:16:41 +08:00 · 2014-10-30 11:31:44 -04:00 · 2014-10-30 11:31:44 -04:00 · 316f1bea04
commit 316f1bea04
parent 59cc2476a1
2 changed files with 10 additions and 1 deletions
--- a/app/controllers/static_controller.rb
+++ b/app/controllers/static_controller.rb
@ -65,7 +65,9 @@ class StaticController < ApplicationController
      begin
        forum_uri = URI(Discourse.base_url)
        uri = URI(params[:redirect])
-        if uri.path.present? && (uri.host.blank? || uri.host == forum_uri.host)
+        if uri.path.present? &&
+           (uri.host.blank? || uri.host == forum_uri.host) &&
+           uri.path !~ /\./
          destination = uri.path
        end
      rescue URI::InvalidURIError
--- a/spec/controllers/static_controller_spec.rb
+++ b/spec/controllers/static_controller_spec.rb
@ -89,6 +89,13 @@ describe StaticController do
      end
    end

+    context 'with a period to force a new host' do
+      it 'redirects to the root path' do
+        xhr :post, :enter, redirect: ".org/foo"
+        expect(response).to redirect_to '/'
+      end
+    end
+
    context 'with a full url to someone else' do
      it 'redirects to the root path' do
        xhr :post, :enter, redirect: "http://eviltrout.com/foo"