mirror of
https://github.com/discourse/discourse.git
synced 2025-01-19 04:52:45 +08:00
FIX: Do not ignore redirects containing "/login" in the path (#29960)
This commit is contained in:
parent
469374e063
commit
43ae59bb9c
|
@ -128,18 +128,19 @@ class StaticController < ApplicationController
|
|||
redirect_location = params[:redirect]
|
||||
if redirect_location.present? && !redirect_location.is_a?(String)
|
||||
raise Discourse::InvalidParameters.new(:redirect)
|
||||
elsif redirect_location.present? && !redirect_location.match(login_path)
|
||||
begin
|
||||
forum_uri = URI(Discourse.base_url)
|
||||
uri = URI(redirect_location)
|
||||
elsif redirect_location.present? &&
|
||||
begin
|
||||
forum_uri = URI(Discourse.base_url)
|
||||
uri = URI(redirect_location)
|
||||
|
||||
if uri.path.present? && (uri.host.blank? || uri.host == forum_uri.host) &&
|
||||
uri.path =~ %r{\A\/{1}[^\.\s]*\z}
|
||||
destination = "#{uri.path}#{uri.query ? "?#{uri.query}" : ""}"
|
||||
end
|
||||
rescue URI::Error
|
||||
# Do nothing if the URI is invalid
|
||||
end
|
||||
if uri.path.present? && !uri.path.starts_with?(login_path) &&
|
||||
(uri.host.blank? || uri.host == forum_uri.host) &&
|
||||
uri.path =~ %r{\A\/{1}[^\.\s]*\z}
|
||||
destination = "#{uri.path}#{uri.query ? "?#{uri.query}" : ""}"
|
||||
end
|
||||
rescue URI::Error
|
||||
# Do nothing if the URI is invalid
|
||||
end
|
||||
end
|
||||
|
||||
redirect_to(destination, allow_other_host: false)
|
||||
|
|
|
@ -321,6 +321,12 @@ RSpec.describe StaticController do
|
|||
end
|
||||
end
|
||||
|
||||
context "when the redirect path contains the '/login' string" do
|
||||
it "redirects to the requested path" do
|
||||
post "/login.json", params: { redirect: "/page/login/1" }
|
||||
expect(response).to redirect_to("/page/login/1")
|
||||
end
|
||||
end
|
||||
context "when the redirect path is invalid" do
|
||||
it "redirects to the root URL" do
|
||||
post "/login.json", params: { redirect: "test" }
|
||||
|
|
Loading…
Reference in New Issue
Block a user