diff options
author | Arthur Nogueira Neves <github@arthurnn.com> | 2015-06-16 23:28:51 +0200 |
---|---|---|
committer | Arthur Nogueira Neves <github@arthurnn.com> | 2015-06-16 23:28:51 +0200 |
commit | 0b3397872582f2cf1bc6960960a6393f477c55e6 (patch) | |
tree | 1df2a0d3797c54d7b53b50a0f63dac45f6952448 | |
parent | 56d52e3749180e6c1dcf7166adbad967470aa78b (diff) | |
parent | e23b3149458b22cf07382d6aeb2264585e28a339 (diff) | |
download | rails-0b3397872582f2cf1bc6960960a6393f477c55e6.tar.gz rails-0b3397872582f2cf1bc6960960a6393f477c55e6.tar.bz2 rails-0b3397872582f2cf1bc6960960a6393f477c55e6.zip |
Merge pull request #20584 from arthurnn/fix_url
Catch InvalidURIError on bad paths on redirect.
-rw-r--r-- | actionpack/CHANGELOG.md | 4 | ||||
-rw-r--r-- | actionpack/lib/action_dispatch/routing/redirection.rb | 12 | ||||
-rw-r--r-- | actionpack/test/journey/router_test.rb | 7 |
3 files changed, 19 insertions, 4 deletions
diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md index cb5e7516fb..e8ec3fad73 100644 --- a/actionpack/CHANGELOG.md +++ b/actionpack/CHANGELOG.md @@ -1,3 +1,7 @@ +* Handle InvalidURIError on bad paths on redirect route. + + *arthurnn* + * Deprecate passing first parameter as `Hash` and default status code for `head` method. *Mehmet Emin İNAÇ* diff --git a/actionpack/lib/action_dispatch/routing/redirection.rb b/actionpack/lib/action_dispatch/routing/redirection.rb index 3c1c4fadf6..8d965a5f8e 100644 --- a/actionpack/lib/action_dispatch/routing/redirection.rb +++ b/actionpack/lib/action_dispatch/routing/redirection.rb @@ -23,8 +23,12 @@ module ActionDispatch def serve(req) req.check_path_parameters! - uri = URI.parse(path(req.path_parameters, req)) - + begin + uri = URI.parse(path(req.path_parameters, req)) + rescue URI::InvalidURIError + return [ 400, {}, ['Invalid path.'] ] + end + unless uri.host if relative_path?(uri.path) uri.path = "#{req.script_name}/#{uri.path}" @@ -32,7 +36,7 @@ module ActionDispatch uri.path = req.script_name.empty? ? "/" : req.script_name end end - + uri.scheme ||= req.scheme uri.host ||= req.host uri.port ||= req.port unless req.standard_port? @@ -124,7 +128,7 @@ module ActionDispatch url_options[:script_name] = request.script_name end end - + ActionDispatch::Http::URL.url_for url_options end diff --git a/actionpack/test/journey/router_test.rb b/actionpack/test/journey/router_test.rb index 802fb93c69..c4bffa2f15 100644 --- a/actionpack/test/journey/router_test.rb +++ b/actionpack/test/journey/router_test.rb @@ -219,6 +219,13 @@ module ActionDispatch assert_equal 404, resp.first end + def test_invalid_url_path + routes = Class.new { include ActionDispatch::Routing::Redirection }.new + route = routes.redirect("/foo/bar/%{id}") + resp = route.serve(rails_env({ 'REQUEST_METHOD' => 'GET', 'PATH_INFO' => '/foo/(function(){})' })) + assert_equal 400, resp.first + end + def test_clear_trailing_slash_from_script_name_on_root_unanchored_routes route_set = Routing::RouteSet.new mapper = Routing::Mapper.new route_set |