fixed storing location with bad URL

This commit is contained in:
Maxim Pechnikov 2014-04-23 10:27:23 +04:00
parent 24327c7310
commit a841e6c4f0
3 changed files with 14 additions and 2 deletions

View File

@ -16,6 +16,7 @@
calling `super`
* Serialize the `last_request_at` entry as an Integer
* Ensure registration controller block yields happen on failure in addition to success (by @dpehrson)
* Storing location only for valid url (by @parallel588)
### 3.2.4

View File

@ -33,14 +33,19 @@ module Devise
#
def store_location_for(resource_or_scope, location)
session_key = stored_location_key_for(resource_or_scope)
if location
uri = URI.parse(location)
if (uri = parse_uri(location))
session[session_key] = [uri.path.sub(/\A\/+/, '/'), uri.query].compact.join('?')
end
end
private
def parse_uri(location)
location && URI.parse(location)
rescue URI::InvalidURIError
nil
end
def stored_location_key_for(resource_or_scope)
scope = Devise::Mapping.find_scope!(resource_or_scope)
"#{scope}_return_to"

View File

@ -193,6 +193,12 @@ class ControllerAuthenticatableTest < ActionController::TestCase
assert_equal "/foo.bar", @controller.stored_location_for(:user)
end
test 'store bad location for stores a location to redirect back to' do
assert_nil @controller.stored_location_for(:user)
@controller.store_location_for(:user, "/foo.bar\">Carry")
assert_nil @controller.stored_location_for(:user)
end
test 'store location for accepts a resource as argument' do
@controller.store_location_for(User.new, "/foo.bar")
assert_equal "/foo.bar", @controller.stored_location_for(User.new)