Ensure we only store paths in store_location_for (thanks to @homakov for the tip)

2013-11-13 13:30:24 +01:00 · 2013-11-13 13:30:24 +01:00 · 0582467032
parent 221be6d6ef
commit 0582467032
2 changed files with 9 additions and 1 deletions
--- a/lib/devise/controllers/store_location.rb
+++ b/lib/devise/controllers/store_location.rb
@ -1,3 +1,5 @@
+require "uri"
+
 module Devise
  module Controllers
    # Provide the ability to store a location.
@ -31,7 +33,7 @@ module Devise
      #
      def store_location_for(resource_or_scope, location)
        session_key = stored_location_key_for(resource_or_scope)
-        session[session_key] = location
+        session[session_key] = URI.parse(location).path
      end

      private
--- a/test/controllers/helpers_test.rb
+++ b/test/controllers/helpers_test.rb
@ -198,6 +198,12 @@ class ControllerAuthenticatableTest < ActionController::TestCase
    assert_equal "/foo.bar", @controller.stored_location_for(User.new)
  end

+  test 'store location for stores only paths' do
+    assert_nil @controller.stored_location_for(:user)
+    @controller.store_location_for(:user, "//host/foo.bar")
+    assert_equal "/foo.bar", @controller.stored_location_for(:user)
+  end
+
  test 'after sign in path defaults to root path if none by was specified for the given scope' do
    assert_equal root_path, @controller.after_sign_in_path_for(:user)
  end