diff options
author | Damien Burke <damien@damienburke.com> | 2015-11-03 17:17:10 -0800 |
---|---|---|
committer | Damien Burke <damien@damienburke.com> | 2015-11-03 17:20:48 -0800 |
commit | ab5fb4f22430afa58c334f7e7e142660164490e5 (patch) | |
tree | fbb50859955bddc1fa48dbe1667eb6ae1b8b1596 /actionview/test/template | |
parent | e37b470a6675a05df5a57455a3ac8c1c88ef04d6 (diff) | |
download | rails-ab5fb4f22430afa58c334f7e7e142660164490e5.tar.gz rails-ab5fb4f22430afa58c334f7e7e142660164490e5.tar.bz2 rails-ab5fb4f22430afa58c334f7e7e142660164490e5.zip |
Don’t allow arbitrary data in back urls
`link_to :back` creates a link to whatever was
passed in via the referer header. If an attacker
can alter the referer header, that would create
a cross-site scripting vulnerability on every
page that uses `link_to :back`
This commit restricts the back URL to valid
non-javascript URLs.
https://github.com/rails/rails/issues/14444
Diffstat (limited to 'actionview/test/template')
-rw-r--r-- | actionview/test/template/url_helper_test.rb | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/actionview/test/template/url_helper_test.rb b/actionview/test/template/url_helper_test.rb index 43a65a58cb..48d0a9a47a 100644 --- a/actionview/test/template/url_helper_test.rb +++ b/actionview/test/template/url_helper_test.rb @@ -50,6 +50,23 @@ class UrlHelperTest < ActiveSupport::TestCase assert_equal 'javascript:history.back()', url_for(:back) end + def test_url_for_with_back_and_no_controller + @controller = nil + assert_equal 'javascript:history.back()', url_for(:back) + end + + def test_url_for_with_back_and_javascript_referer + referer = 'javascript:alert(document.cookie)' + @controller = Struct.new(:request).new(Struct.new(:env).new("HTTP_REFERER" => referer)) + assert_equal 'javascript:history.back()', url_for(:back) + end + + def test_url_for_with_invalid_referer + referer = 'THIS IS NOT A URL' + @controller = Struct.new(:request).new(Struct.new(:env).new("HTTP_REFERER" => referer)) + assert_equal 'javascript:history.back()', url_for(:back) + end + def test_button_to_with_straight_url assert_dom_equal %{<form method="post" action="http://www.example.com" class="button_to"><input type="submit" value="Hello" /></form>}, button_to("Hello", "http://www.example.com") end |