From ab5fb4f22430afa58c334f7e7e142660164490e5 Mon Sep 17 00:00:00 2001 From: Damien Burke Date: Tue, 3 Nov 2015 17:17:10 -0800 Subject: =?UTF-8?q?Don=E2=80=99t=20allow=20arbitrary=20data=20in=20back=20?= =?UTF-8?q?urls?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit `link_to :back` creates a link to whatever was passed in via the referer header. If an attacker can alter the referer header, that would create a cross-site scripting vulnerability on every page that uses `link_to :back` This commit restricts the back URL to valid non-javascript URLs. https://github.com/rails/rails/issues/14444 --- actionview/lib/action_view/helpers/url_helper.rb | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) (limited to 'actionview/lib/action_view/helpers/url_helper.rb') diff --git a/actionview/lib/action_view/helpers/url_helper.rb b/actionview/lib/action_view/helpers/url_helper.rb index 5684de35e8..baebc34b4b 100644 --- a/actionview/lib/action_view/helpers/url_helper.rb +++ b/actionview/lib/action_view/helpers/url_helper.rb @@ -41,11 +41,21 @@ module ActionView end def _back_url # :nodoc: - referrer = controller.respond_to?(:request) && controller.request.env["HTTP_REFERER"] - referrer || 'javascript:history.back()' + _filtered_referrer || 'javascript:history.back()' end protected :_back_url + def _filtered_referrer # :nodoc: + if controller.respond_to?(:request) + referrer = controller.request.env["HTTP_REFERER"] + if referrer && URI(referrer).scheme != 'javascript' + referrer + end + end + rescue URI::InvalidURIError + end + protected :_filtered_referrer + # Creates an anchor element of the given +name+ using a URL created by the set of +options+. # See the valid options in the documentation for +url_for+. It's also possible to # pass a String instead of an options hash, which generates an anchor element that uses the -- cgit v1.2.3