aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack/lib/action_controller
diff options
context:
space:
mode:
authorGannon McGibbon <gannon.mcgibbon@gmail.com>2019-01-22 11:40:13 -0500
committerGannon McGibbon <gannon.mcgibbon@gmail.com>2019-01-22 11:40:13 -0500
commit2e0ca9284a6864cfbbb632d849df3fdd7a7c554e (patch)
treebae8c7bdbdf70dd05a506527f2724ddf4ec1dad7 /actionpack/lib/action_controller
parente26f0658da7ff7e9382d6040fe76c087ff1791e4 (diff)
downloadrails-2e0ca9284a6864cfbbb632d849df3fdd7a7c554e.tar.gz
rails-2e0ca9284a6864cfbbb632d849df3fdd7a7c554e.tar.bz2
rails-2e0ca9284a6864cfbbb632d849df3fdd7a7c554e.zip
Revert ensure external redirects are explicitly allowed
Diffstat (limited to 'actionpack/lib/action_controller')
-rw-r--r--actionpack/lib/action_controller/metal/force_ssl.rb3
-rw-r--r--actionpack/lib/action_controller/metal/redirecting.rb33
2 files changed, 7 insertions, 29 deletions
diff --git a/actionpack/lib/action_controller/metal/force_ssl.rb b/actionpack/lib/action_controller/metal/force_ssl.rb
index 205f84ae36..93fd57b640 100644
--- a/actionpack/lib/action_controller/metal/force_ssl.rb
+++ b/actionpack/lib/action_controller/metal/force_ssl.rb
@@ -13,7 +13,7 @@ module ActionController
ACTION_OPTIONS = [:only, :except, :if, :unless]
URL_OPTIONS = [:protocol, :host, :domain, :subdomain, :port, :path]
- REDIRECT_OPTIONS = [:status, :flash, :alert, :notice, :allow_other_host]
+ REDIRECT_OPTIONS = [:status, :flash, :alert, :notice]
module ClassMethods # :nodoc:
def force_ssl(options = {})
@@ -41,7 +41,6 @@ module ActionController
host: request.host,
path: request.fullpath,
status: :moved_permanently,
- allow_other_host: true,
}
if host_or_options.is_a?(Hash)
diff --git a/actionpack/lib/action_controller/metal/redirecting.rb b/actionpack/lib/action_controller/metal/redirecting.rb
index 8bd003f5ed..67c198d150 100644
--- a/actionpack/lib/action_controller/metal/redirecting.rb
+++ b/actionpack/lib/action_controller/metal/redirecting.rb
@@ -60,7 +60,7 @@ module ActionController
raise AbstractController::DoubleRenderError if response_body
self.status = _extract_redirect_to_status(options, response_options)
- self.location = _compute_safe_redirect_to_location(request, options, response_options)
+ self.location = _compute_redirect_to_location(request, options)
self.response_body = "<html><body>You are being <a href=\"#{ERB::Util.unwrapped_html_escape(response.location)}\">redirected</a>.</body></html>"
end
@@ -88,13 +88,9 @@ module ActionController
# All other options that can be passed to <tt>redirect_to</tt> are accepted as
# options and the behavior is identical.
def redirect_back(fallback_location:, allow_other_host: true, **args)
- referer = request.headers.fetch("Referer", fallback_location)
- response_options = {
- fallback_location: fallback_location,
- allow_other_host: allow_other_host,
- **args,
- }
- redirect_to referer, response_options
+ referer = request.headers["Referer"]
+ redirect_to_referer = referer && (allow_other_host || _url_host_allowed?(referer))
+ redirect_to redirect_to_referer ? referer : fallback_location, **args
end
def _compute_redirect_to_location(request, options) #:nodoc:
@@ -118,23 +114,6 @@ module ActionController
public :_compute_redirect_to_location
private
- def _compute_safe_redirect_to_location(request, options, response_options)
- location = _compute_redirect_to_location(request, options)
- location_options = options.is_a?(Hash) ? options : {}
- if response_options[:allow_other_host] || _url_host_allowed?(location, location_options)
- location
- else
- fallback_location = response_options.fetch(:fallback_location) do
- raise ArgumentError, <<~MSG.squish
- Unsafe redirect #{location.inspect},
- use :fallback_location to specify a fallback
- or :allow_other_host to redirect anyway.
- MSG
- end
- _compute_redirect_to_location(request, fallback_location)
- end
- end
-
def _extract_redirect_to_status(options, response_options)
if options.is_a?(Hash) && options.key?(:status)
Rack::Utils.status_code(options.delete(:status))
@@ -145,8 +124,8 @@ module ActionController
end
end
- def _url_host_allowed?(url, options = {})
- URI(url.to_s).host.in?([request.host, options[:host]])
+ def _url_host_allowed?(url)
+ URI(url.to_s).host == request.host
rescue ArgumentError, URI::Error
false
end