SECURITY: Only redirect to our host by path on the login action

2025-06-01 01:55:46 +08:00 · 2014-08-28 17:45:13 -04:00
parent 9e2c72e277
commit 85c6eb9b08
2 changed files with 35 additions and 6 deletions
--- a/app/controllers/static_controller.rb
+++ b/app/controllers/static_controller.rb
@ -54,13 +54,21 @@ class StaticController < ApplicationController
    params.delete(:username)
    params.delete(:password)

-    redirect_to(
-      if params[:redirect].blank? || params[:redirect].match(login_path)
-        "/"
-      else
-        params[:redirect]
+    destination = "/"
+
+    if params[:redirect].present? && !params[:redirect].match(login_path)
+      begin
+        forum_uri = URI(Discourse.base_url)
+        uri = URI(params[:redirect])
+        if uri.path.present? && (uri.host.blank? || uri.host == forum_uri.host)
+          destination = uri.path
+        end
+      rescue URI::InvalidURIError
+        # Do nothing if the URI is invalid
      end
-    )
+    end
+
+    redirect_to destination
  end

  skip_before_filter :verify_authenticity_token, only: [:cdn_asset]