mirror of
https://github.com/discourse/discourse.git
synced 2024-12-16 20:36:28 +08:00
SECURITY: Only redirect to our host by path on the login action
This commit is contained in:
parent
5db66aeafa
commit
9ad246affe
|
@ -54,13 +54,21 @@ class StaticController < ApplicationController
|
|||
params.delete(:username)
|
||||
params.delete(:password)
|
||||
|
||||
redirect_to(
|
||||
if params[:redirect].blank? || params[:redirect].match(login_path)
|
||||
"/"
|
||||
else
|
||||
params[:redirect]
|
||||
destination = "/"
|
||||
|
||||
if params[:redirect].present? && !params[:redirect].match(login_path)
|
||||
begin
|
||||
forum_uri = URI(Discourse.base_url)
|
||||
uri = URI(params[:redirect])
|
||||
if uri.path.present? && (uri.host.blank? || uri.host == forum_uri.host)
|
||||
destination = uri.path
|
||||
end
|
||||
rescue URI::InvalidURIError
|
||||
# Do nothing if the URI is invalid
|
||||
end
|
||||
)
|
||||
end
|
||||
|
||||
redirect_to destination
|
||||
end
|
||||
|
||||
skip_before_filter :verify_authenticity_token, only: [:cdn_asset]
|
||||
|
|
|
@ -82,6 +82,27 @@ describe StaticController do
|
|||
end
|
||||
end
|
||||
|
||||
context 'with a full url' do
|
||||
it 'redirects to the correct path' do
|
||||
xhr :post, :enter, redirect: "#{Discourse.base_url}/foo"
|
||||
expect(response).to redirect_to '/foo'
|
||||
end
|
||||
end
|
||||
|
||||
context 'with a full url to someone else' do
|
||||
it 'redirects to the root path' do
|
||||
xhr :post, :enter, redirect: "http://eviltrout.com/foo"
|
||||
expect(response).to redirect_to '/'
|
||||
end
|
||||
end
|
||||
|
||||
context 'with an invalid URL' do
|
||||
it "redirects to the root" do
|
||||
xhr :post, :enter, redirect: "javascript:alert('trout')"
|
||||
expect(response).to redirect_to '/'
|
||||
end
|
||||
end
|
||||
|
||||
context 'when the redirect path is the login page' do
|
||||
it 'redirects to the root url' do
|
||||
xhr :post, :enter, redirect: login_path
|
||||
|
|
Loading…
Reference in New Issue
Block a user