meineerde/redmine
1
0
Fork 0
mirror of https://github.com/meineerde/redmine.git synced 2026-02-01 03:57:15 +00:00
Code Issues Releases Wiki Activity

Replaces @URI.parse@ with @Addressable::URI.parse(url)@ to enhance robustness of @validate_back_url@ (#31831).

Browse Source 
Patch by Go MAEDA (@maeda).

git-svn-id: https://svn.redmine.org/redmine/trunk@22710 e93f8b46-1217-0410-a6f0-8f06a7374b81
This commit is contained in:
Marius Balteanu 2024-02-13 23:17:09 +00:00
parent 353ac52d47
commit b010054d69
1 changed files with 11 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
app/controllers/application_controller.rb
View File

@ -502,21 +502,20 @@ class ApplicationController < ActionController::Base
end
begin
uri = URI.parse(back_url)
rescue URI::InvalidURIError
uri = Addressable::URI.parse(back_url)
[:scheme, :host, :port].each do |component|
if uri.send(component).present? && uri.send(component) != request.send(component)
return false
end
uri.send(:"#{component}=", nil)
end
# Always ignore basic user:password in the URL
uri.userinfo = nil
rescue Addressable::URI::InvalidURIError
return false
end
[:scheme, :host, :port].each do |component|
if uri.send(component).present? && uri.send(component) != request.send(component)
return false
end
uri.send(:"#{component}=", nil)
end
# Always ignore basic user:password in the URL
uri.userinfo = nil
path = uri.to_s
# Ensure that the remaining URL starts with a slash, followed by a
# non-slash character or the end