From ab5fb4f22430afa58c334f7e7e142660164490e5 Mon Sep 17 00:00:00 2001 From: Damien Burke Date: Tue, 3 Nov 2015 17:17:10 -0800 Subject: =?UTF-8?q?Don=E2=80=99t=20allow=20arbitrary=20data=20in=20back=20?= =?UTF-8?q?urls?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit `link_to :back` creates a link to whatever was passed in via the referer header. If an attacker can alter the referer header, that would create a cross-site scripting vulnerability on every page that uses `link_to :back` This commit restricts the back URL to valid non-javascript URLs. https://github.com/rails/rails/issues/14444 --- actionview/test/template/url_helper_test.rb | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) (limited to 'actionview/test/template') diff --git a/actionview/test/template/url_helper_test.rb b/actionview/test/template/url_helper_test.rb index 43a65a58cb..48d0a9a47a 100644 --- a/actionview/test/template/url_helper_test.rb +++ b/actionview/test/template/url_helper_test.rb @@ -50,6 +50,23 @@ class UrlHelperTest < ActiveSupport::TestCase assert_equal 'javascript:history.back()', url_for(:back) end + def test_url_for_with_back_and_no_controller + @controller = nil + assert_equal 'javascript:history.back()', url_for(:back) + end + + def test_url_for_with_back_and_javascript_referer + referer = 'javascript:alert(document.cookie)' + @controller = Struct.new(:request).new(Struct.new(:env).new("HTTP_REFERER" => referer)) + assert_equal 'javascript:history.back()', url_for(:back) + end + + def test_url_for_with_invalid_referer + referer = 'THIS IS NOT A URL' + @controller = Struct.new(:request).new(Struct.new(:env).new("HTTP_REFERER" => referer)) + assert_equal 'javascript:history.back()', url_for(:back) + end + def test_button_to_with_straight_url assert_dom_equal %{
}, button_to("Hello", "http://www.example.com") end -- cgit v1.2.3