mirror of
https://github.com/discourse/discourse.git
synced 2024-12-16 20:53:44 +08:00
SECURITY: Only redirect to our host by path on the login action
This commit is contained in:
parent
5db66aeafa
commit
9ad246affe
|
@ -54,13 +54,21 @@ class StaticController < ApplicationController
|
||||||
params.delete(:username)
|
params.delete(:username)
|
||||||
params.delete(:password)
|
params.delete(:password)
|
||||||
|
|
||||||
redirect_to(
|
destination = "/"
|
||||||
if params[:redirect].blank? || params[:redirect].match(login_path)
|
|
||||||
"/"
|
if params[:redirect].present? && !params[:redirect].match(login_path)
|
||||||
else
|
begin
|
||||||
params[:redirect]
|
forum_uri = URI(Discourse.base_url)
|
||||||
|
uri = URI(params[:redirect])
|
||||||
|
if uri.path.present? && (uri.host.blank? || uri.host == forum_uri.host)
|
||||||
|
destination = uri.path
|
||||||
|
end
|
||||||
|
rescue URI::InvalidURIError
|
||||||
|
# Do nothing if the URI is invalid
|
||||||
end
|
end
|
||||||
)
|
end
|
||||||
|
|
||||||
|
redirect_to destination
|
||||||
end
|
end
|
||||||
|
|
||||||
skip_before_filter :verify_authenticity_token, only: [:cdn_asset]
|
skip_before_filter :verify_authenticity_token, only: [:cdn_asset]
|
||||||
|
|
|
@ -82,6 +82,27 @@ describe StaticController do
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
context 'with a full url' do
|
||||||
|
it 'redirects to the correct path' do
|
||||||
|
xhr :post, :enter, redirect: "#{Discourse.base_url}/foo"
|
||||||
|
expect(response).to redirect_to '/foo'
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'with a full url to someone else' do
|
||||||
|
it 'redirects to the root path' do
|
||||||
|
xhr :post, :enter, redirect: "http://eviltrout.com/foo"
|
||||||
|
expect(response).to redirect_to '/'
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'with an invalid URL' do
|
||||||
|
it "redirects to the root" do
|
||||||
|
xhr :post, :enter, redirect: "javascript:alert('trout')"
|
||||||
|
expect(response).to redirect_to '/'
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
context 'when the redirect path is the login page' do
|
context 'when the redirect path is the login page' do
|
||||||
it 'redirects to the root url' do
|
it 'redirects to the root url' do
|
||||||
xhr :post, :enter, redirect: login_path
|
xhr :post, :enter, redirect: login_path
|
||||||
|
|
Loading…
Reference in New Issue
Block a user