From 9dde7d8de047b55ec636c4c7cba89ec95324d492 Mon Sep 17 00:00:00 2001
From: Gannon McGibbon <gannon.mcgibbon@gmail.com>
Date: Thu, 8 Nov 2018 14:45:06 -0500
Subject: Ensure external redirects are explicitly allowed

Add `fallback_location` and `allow_other_host` options to `redirect_to`.
---
 actionpack/lib/action_controller/metal/force_ssl.rb | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'actionpack/lib/action_controller/metal/force_ssl.rb')

diff --git a/actionpack/lib/action_controller/metal/force_ssl.rb b/actionpack/lib/action_controller/metal/force_ssl.rb
index 26e6f72b66..205f84ae36 100644
--- a/actionpack/lib/action_controller/metal/force_ssl.rb
+++ b/actionpack/lib/action_controller/metal/force_ssl.rb
@@ -13,7 +13,7 @@ module ActionController
 
     ACTION_OPTIONS = [:only, :except, :if, :unless]
     URL_OPTIONS = [:protocol, :host, :domain, :subdomain, :port, :path]
-    REDIRECT_OPTIONS = [:status, :flash, :alert, :notice]
+    REDIRECT_OPTIONS = [:status, :flash, :alert, :notice, :allow_other_host]
 
     module ClassMethods # :nodoc:
       def force_ssl(options = {})
@@ -40,7 +40,8 @@ module ActionController
           protocol: "https://",
           host: request.host,
           path: request.fullpath,
-          status: :moved_permanently
+          status: :moved_permanently,
+          allow_other_host: true,
         }
 
         if host_or_options.is_a?(Hash)
-- 
cgit v1.2.3