From ba80ff74a9627f676b4c426587ce5ea487665e46 Mon Sep 17 00:00:00 2001
From: Michael Koziarski <michael@koziarski.com>
Date: Tue, 14 Oct 2008 11:37:59 +0200
Subject: Sanitize the URLs passed to redirect_to to prevent a potential
 response splitting attack.

CGI.rb and mongrel don't do any sanitization of the contents of HTTP headers, so care needs to be taken.
---
 actionpack/lib/action_controller/response.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'actionpack/lib')

diff --git a/actionpack/lib/action_controller/response.rb b/actionpack/lib/action_controller/response.rb
index 54a99996ef..b440065482 100644
--- a/actionpack/lib/action_controller/response.rb
+++ b/actionpack/lib/action_controller/response.rb
@@ -114,8 +114,8 @@ module ActionController # :nodoc:
 
     def redirect(url, status)
       self.status = status
-      self.location = url
-      self.body = "<html><body>You are being <a href=\"#{url}\">redirected</a>.</body></html>"
+      self.location = url.gsub(/[\r\n]/, '')
+      self.body = "<html><body>You are being <a href=\"#{CGI.escapeHTML(url)}\">redirected</a>.</body></html>"
     end
 
     def sending_file?
-- 
cgit v1.2.3