From b608cdd64c95d0d16eb98d86562e22f3b01be9e3 Mon Sep 17 00:00:00 2001
From: Andrew White <andyw@pixeltrix.co.uk>
Date: Sun, 29 Apr 2012 21:19:18 +0100
Subject: Escape interpolated params when redirecting - fixes #5688

---
 .../lib/action_dispatch/routing/redirection.rb     |  7 +++++-
 actionpack/test/dispatch/routing_test.rb           | 28 ++++++++++++++++++++++
 2 files changed, 34 insertions(+), 1 deletion(-)

(limited to 'actionpack')

diff --git a/actionpack/lib/action_dispatch/routing/redirection.rb b/actionpack/lib/action_dispatch/routing/redirection.rb
index 4d98f20826..75627018c7 100644
--- a/actionpack/lib/action_dispatch/routing/redirection.rb
+++ b/actionpack/lib/action_dispatch/routing/redirection.rb
@@ -93,7 +93,7 @@ module ActionDispatch
         path = args.shift
 
         block = lambda { |params, request|
-          (params.empty? || !path.match(/%\{\w*\}/)) ? path : (path % params)
+          (params.empty? || !path.match(/%\{\w*\}/)) ? path : (path % escape(params))
         } if String === path
 
         block = path if path.respond_to? :call
@@ -110,6 +110,11 @@ module ActionDispatch
 
         Redirect.new status, block
       end
+
+      private
+        def escape(params)
+          Hash[params.map{ |k,v| [k, Rack::Utils.escape(v)] }]
+        end
     end
   end
 end
diff --git a/actionpack/test/dispatch/routing_test.rb b/actionpack/test/dispatch/routing_test.rb
index 50b959cc39..9e522d44fa 100644
--- a/actionpack/test/dispatch/routing_test.rb
+++ b/actionpack/test/dispatch/routing_test.rb
@@ -2635,3 +2635,31 @@ class TestMultipleNestedController < ActionDispatch::IntegrationTest
 
 end
 
+class TestRedirectInterpolation < ActionDispatch::IntegrationTest
+  Routes = ActionDispatch::Routing::RouteSet.new.tap do |app|
+    app.draw do
+      ok = lambda { |env| [200, { 'Content-Type' => 'text/plain' }, []] }
+
+      get "/foo/:id" => redirect("/foo/bar/%{id}")
+      get "/foo/bar/:id" => ok
+    end
+  end
+
+  def app; Routes end
+
+  test "redirect escapes interpolated parameters" do
+    get "/foo/1%3E"
+    verify_redirect "http://www.example.com/foo/bar/1%3E"
+  end
+
+private
+  def verify_redirect(url, status=301)
+    assert_equal status, @response.status
+    assert_equal url, @response.headers['Location']
+    assert_equal expected_redirect_body(url), @response.body
+  end
+
+  def expected_redirect_body(url)
+    %(<html><body>You are being <a href="#{ERB::Util.h(url)}">redirected</a>.</body></html>)
+  end
+end
-- 
cgit v1.2.3