Sanitize the URLs passed to redirect_to to prevent a potential response splitting attack.

CGI.rb and mongrel don't do any sanitization of the contents of HTTP headers, so care needs to be taken.
author: Michael Koziarski <michael@koziarski.com> 2008-10-14 11:37:59 +0200
committer: Michael Koziarski <michael@koziarski.com> 2008-10-19 15:24:18 +0200
commit: ba80ff74a9627f676b4c426587ce5ea487665e46 (patch)
tree: 6b2c92007c38ca274ea45d8dd52f401b81ae44e6 /actionpack
parent: de0ed534f6055c365d05c685582edeceef1eafa6 (diff)
download: rails-ba80ff74a9627f676b4c426587ce5ea487665e46.tar.gz
rails-ba80ff74a9627f676b4c426587ce5ea487665e46.tar.bz2
rails-ba80ff74a9627f676b4c426587ce5ea487665e46.zip
1 files changed, 2 insertions, 2 deletions
diff --git a/actionpack/lib/action_controller/response.rb b/actionpack/lib/action_controller/response.rb
index 54a99996ef..b440065482 100644
--- a/actionpack/lib/action_controller/response.rb
+++ b/actionpack/lib/action_controller/response.rb
@@ -114,8 +114,8 @@ module ActionController # :nodoc:
 
     def redirect(url, status)
       self.status = status
-      self.location = url
-      self.body = "<html><body>You are being <a href=\"#{url}\">redirected</a>.</body></html>"
+      self.location = url.gsub(/[\r\n]/, '')
+      self.body = "<html><body>You are being <a href=\"#{CGI.escapeHTML(url)}\">redirected</a>.</body></html>"
     end
 
     def sending_file?
author	Michael Koziarski <michael@koziarski.com>	2008-10-14 11:37:59 +0200
committer	Michael Koziarski <michael@koziarski.com>	2008-10-19 15:24:18 +0200
commit	ba80ff74a9627f676b4c426587ce5ea487665e46 (patch)
tree	6b2c92007c38ca274ea45d8dd52f401b81ae44e6 /actionpack
parent	de0ed534f6055c365d05c685582edeceef1eafa6 (diff)
download	rails-ba80ff74a9627f676b4c426587ce5ea487665e46.tar.gz rails-ba80ff74a9627f676b4c426587ce5ea487665e46.tar.bz2 rails-ba80ff74a9627f676b4c426587ce5ea487665e46.zip