IntenseWebs/discourse
3
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2024-11-27 03:10:46 -06:00
Code Issues Packages Projects Releases Wiki Activity

FIX: respond with 400 error on invalid redirect param

Browse Source
This commit is contained in:
Arpit Jalan 2019-06-17 16:44:30 +05:30
parent 59e84e8e05
commit 863d8014d0
2 changed files with 10 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
app/controllers/static_controller.rb
View File

@ -89,8 +89,10 @@ class StaticController < ApplicationController
destination = path("/")
redirect_location = params[:redirect].to_s
if redirect_location.present? && !redirect_location.match(login_path)
redirect_location = params[:redirect]
if redirect_location.present? && !redirect_location.is_a?(String)
raise Discourse::InvalidParameters.new(:redirect)
elsif redirect_location.present? && !redirect_location.match(login_path)
begin
forum_uri = URI(Discourse.base_url)
uri = URI(redirect_location)

7
spec/requests/static_controller_spec.rb
View File

@ -286,7 +286,12 @@ describe StaticController do
context 'with an array' do
it "redirects to the root" do
post "/login.json", params: { redirect: ["/foo"] }
expect(response).to redirect_to('/')
expect(response.status).to eq(400)
json = JSON.parse(response.body)
expect(json["errors"]).to be_present
expect(json["errors"]).to include(
I18n.t("invalid_params", message: "redirect")
)
end
end