Merge pull request #44650 from tomhughes/relative-redirect
Allow relative redirects when `raise_on_open_redirects` is enabled
This commit is contained in:
commit
1bca3cc406
|
@ -1,3 +1,7 @@
|
||||||
|
* Allow relative redirects when `raise_on_open_redirects` is enabled
|
||||||
|
|
||||||
|
*Tom Hughes*
|
||||||
|
|
||||||
* Allow Content Security Policy DSL to generate for API responses.
|
* Allow Content Security Policy DSL to generate for API responses.
|
||||||
|
|
||||||
*Tim Wade*
|
*Tim Wade*
|
||||||
|
|
|
@ -195,7 +195,7 @@ module ActionController
|
||||||
end
|
end
|
||||||
|
|
||||||
def _url_host_allowed?(url)
|
def _url_host_allowed?(url)
|
||||||
URI(url.to_s).host == request.host
|
[request.host, nil].include?(URI(url.to_s).host)
|
||||||
rescue ArgumentError, URI::Error
|
rescue ArgumentError, URI::Error
|
||||||
false
|
false
|
||||||
end
|
end
|
||||||
|
|
|
@ -88,6 +88,10 @@ class RedirectController < ActionController::Base
|
||||||
redirect_back_or_to "http://www.rubyonrails.org/"
|
redirect_back_or_to "http://www.rubyonrails.org/"
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def only_path_redirect
|
||||||
|
redirect_to action: "other_host", only_path: true
|
||||||
|
end
|
||||||
|
|
||||||
def safe_redirect_with_fallback
|
def safe_redirect_with_fallback
|
||||||
redirect_to url_from(params[:redirect_url]) || "/fallback"
|
redirect_to url_from(params[:redirect_url]) || "/fallback"
|
||||||
end
|
end
|
||||||
|
@ -500,6 +504,14 @@ class RedirectTest < ActionController::TestCase
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def test_only_path_redirect
|
||||||
|
with_raise_on_open_redirects do
|
||||||
|
get :only_path_redirect
|
||||||
|
assert_response :redirect
|
||||||
|
assert_redirected_to "/redirect/other_host"
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
def test_url_from
|
def test_url_from
|
||||||
with_raise_on_open_redirects do
|
with_raise_on_open_redirects do
|
||||||
get :safe_redirect_with_fallback, params: { redirect_url: "http://test.host/app" }
|
get :safe_redirect_with_fallback, params: { redirect_url: "http://test.host/app" }
|
||||||
|
|
Loading…
Reference in New Issue