diff options
| author | Egor Homakov <homakov@gmail.com> | 2013-02-01 00:01:11 +0700 |
|---|---|---|
| committer | Egor Homakov <homakov@gmail.com> | 2013-02-01 00:01:11 +0700 |
| commit | baa240d09c09b74e9bc69c91e4b5c9fb5bca2005 (patch) | |
| tree | cbf92899e7930347a83d7ad4ed64b1e9391abf24 /actionpack/lib/action_controller/metal | |
| parent | ee4a2bb23d46ee3e644293ba59b70fa7ecb3f7eb (diff) | |
| download | rails-baa240d09c09b74e9bc69c91e4b5c9fb5bca2005.tar.gz rails-baa240d09c09b74e9bc69c91e4b5c9fb5bca2005.tar.bz2 rails-baa240d09c09b74e9bc69c91e4b5c9fb5bca2005.zip | |
Use \A in Regexps
So, if there is redirect_to params[:q]
i can send ?q=javascript:asdf()%0A/localpath
Or something more nasty, so please use \A
Diffstat (limited to 'actionpack/lib/action_controller/metal')
| -rw-r--r-- | actionpack/lib/action_controller/metal/redirecting.rb | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/actionpack/lib/action_controller/metal/redirecting.rb b/actionpack/lib/action_controller/metal/redirecting.rb index 59b91a240e..e9031f3fac 100644 --- a/actionpack/lib/action_controller/metal/redirecting.rb +++ b/actionpack/lib/action_controller/metal/redirecting.rb @@ -88,7 +88,7 @@ module ActionController # letters, digits, and the plus ("+"), period ("."), or hyphen ("-") # characters; and is terminated by a colon (":"). # The protocol relative scheme starts with a double slash "//" - when %r{^(\w[\w+.-]*:|//).*} + when %r{\A(\w[\w+.-]*:|//).*} options when String request.protocol + request.host_with_port + options |