From baa240d09c09b74e9bc69c91e4b5c9fb5bca2005 Mon Sep 17 00:00:00 2001
From: Egor Homakov <homakov@gmail.com>
Date: Fri, 1 Feb 2013 00:01:11 +0700
Subject: Use \A in Regexps

So, if there is redirect_to params[:q]
i can send ?q=javascript:asdf()%0A/localpath
Or something more nasty, so please use \A
---
 actionpack/lib/action_controller/metal/redirecting.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/actionpack/lib/action_controller/metal/redirecting.rb b/actionpack/lib/action_controller/metal/redirecting.rb
index 59b91a240e..e9031f3fac 100644
--- a/actionpack/lib/action_controller/metal/redirecting.rb
+++ b/actionpack/lib/action_controller/metal/redirecting.rb
@@ -88,7 +88,7 @@ module ActionController
         # letters, digits, and the plus ("+"), period ("."), or hyphen ("-")
         # characters; and is terminated by a colon (":").
         # The protocol relative scheme starts with a double slash "//"
-        when %r{^(\w[\w+.-]*:|//).*}
+        when %r{\A(\w[\w+.-]*:|//).*}
           options
         when String
           request.protocol + request.host_with_port + options
-- 
cgit v1.2.3