diff options
| author | Bob Van Landuyt <bob@vanlanduyt.co> | 2018-05-02 20:25:21 +0200 |
|---|---|---|
| committer | Bob Van Landuyt <bob@vanlanduyt.co> | 2018-05-04 13:54:43 +0200 |
| commit | 39916fdfeddfd75279d13fa976fdb07f3b9b0e26 (patch) | |
| tree | 3a05cbb5816d582a72197e417d3fc3539dd6cf59 /app/controllers/concerns | |
| parent | 7684217d6806408cd338260119364419260d1720 (diff) | |
| download | gitlab-ce-39916fdfeddfd75279d13fa976fdb07f3b9b0e26.tar.gz | |
Reuses `InternalRedirect` when possible
`InternalRedirect` prevents Open redirect issues by only allowing
redirection to paths on the same host.
It cleans up any unwanted strings from the path that could point to
another host (fe. //about.gitlab.com/hello). While preserving the
querystring and fragment of the uri.
It is already used by:
- `TermsController`
- `ContinueParams`
- `ImportsController`
- `ForksController`
- `SessionsController`: Only for verifying the host in CE. EE allows
redirecting to a different instance using Geo.
Diffstat (limited to 'app/controllers/concerns')
| -rw-r--r-- | app/controllers/concerns/continue_params.rb | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/app/controllers/concerns/continue_params.rb b/app/controllers/concerns/continue_params.rb index eb3a623acdd..8b7355974df 100644 --- a/app/controllers/concerns/continue_params.rb +++ b/app/controllers/concerns/continue_params.rb @@ -1,4 +1,5 @@ module ContinueParams + include InternalRedirect extend ActiveSupport::Concern def continue_params @@ -6,8 +7,7 @@ module ContinueParams return nil unless continue_params continue_params = continue_params.permit(:to, :notice, :notice_now) - return unless continue_params[:to] && continue_params[:to].start_with?('/') - return if continue_params[:to].start_with?('//') + continue_params[:to] = safe_redirect_path(continue_params[:to]) continue_params end |