Don’t allow arbitrary data in back urls

`link_to :back` creates a link to whatever was
passed in via the referer header. If an attacker
can alter the referer header, that would create
a cross-site scripting vulnerability on every
page that uses `link_to :back`

This commit restricts the back URL to valid
non-javascript URLs.

https://github.com/rails/rails/issues/14444

1 files changed, 12 insertions, 2 deletions

diff --git a/actionview/lib/action_view/helpers/url_helper.rb b/actionview/lib/action_view/helpers/url_helper.rb
index 5684de35e8..baebc34b4b 100644
--- a/actionview/lib/action_view/helpers/url_helper.rb
+++ b/actionview/lib/action_view/helpers/url_helper.rb
@@ -41,11 +41,21 @@ module ActionView
       end
 
       def _back_url # :nodoc:
-        referrer = controller.respond_to?(:request) && controller.request.env["HTTP_REFERER"]
-        referrer || 'javascript:history.back()'
+        _filtered_referrer || 'javascript:history.back()'
       end
       protected :_back_url
 
+      def _filtered_referrer # :nodoc:
+        if controller.respond_to?(:request)
+          referrer = controller.request.env["HTTP_REFERER"]
+          if referrer && URI(referrer).scheme != 'javascript'
+            referrer
+          end
+        end
+      rescue URI::InvalidURIError
+      end
+      protected :_filtered_referrer
+
       # Creates an anchor element of the given +name+ using a URL created by the set of +options+.
       # See the valid options in the documentation for +url_for+. It's also possible to
       # pass a String instead of an options hash, which generates an anchor element that uses the