Merge pull request #20584 from arthurnn/fix_url

Catch InvalidURIError on bad paths on redirect.

1 files changed, 8 insertions, 4 deletions

diff --git a/actionpack/lib/action_dispatch/routing/redirection.rb b/actionpack/lib/action_dispatch/routing/redirection.rb
index 3c1c4fadf6..8d965a5f8e 100644
--- a/actionpack/lib/action_dispatch/routing/redirection.rb
+++ b/actionpack/lib/action_dispatch/routing/redirection.rb
@@ -23,8 +23,12 @@ module ActionDispatch
 
       def serve(req)
         req.check_path_parameters!
-        uri = URI.parse(path(req.path_parameters, req))
-        
+        begin
+          uri = URI.parse(path(req.path_parameters, req))
+        rescue URI::InvalidURIError
+          return [ 400, {}, ['Invalid path.'] ]
+        end
+
         unless uri.host
           if relative_path?(uri.path)
             uri.path = "#{req.script_name}/#{uri.path}"
@@ -32,7 +36,7 @@ module ActionDispatch
             uri.path = req.script_name.empty? ? "/" : req.script_name
           end
         end
-          
+
         uri.scheme ||= req.scheme
         uri.host   ||= req.host
         uri.port   ||= req.port unless req.standard_port?
@@ -124,7 +128,7 @@ module ActionDispatch
             url_options[:script_name] = request.script_name
           end
         end
-        
+
         ActionDispatch::Http::URL.url_for url_options
       end