Don't redirect to arbitrary URLs via link tracker

2025-02-25 18:55:32 -06:00 · 2013-07-26 12:14:11 -04:00
parent 29519ece23
commit c28b377494
3 changed files with 43 additions and 26 deletions
--- a/app/controllers/clicks_controller.rb
+++ b/app/controllers/clicks_controller.rb
@@ -7,15 +7,15 @@ class ClicksController < ApplicationController

    if params[:topic_id].present? || params[:post_id].present?
      params.merge!({ user_id: current_user.id }) if current_user.present?
-      TopicLinkClick.create_from(params)
+      @redirect_url = TopicLinkClick.create_from(params)
    end

    # Sometimes we want to record a link without a 302. Since XHR has to load the redirected
    # URL we want it to not return a 302 in those cases.
-    if params[:redirect] == 'false'
+    if params[:redirect] == 'false' || @redirect_url.blank?
      render nothing: true
    else
-      redirect_to(params[:url])
+      redirect_to(@redirect_url)
    end
  end