diff options
| author | Zeger-Jan van de Weg <zegerjan@gitlab.com> | 2016-03-07 10:06:54 +0100 |
|---|---|---|
| committer | Zeger-Jan van de Weg <zegerjan@gitlab.com> | 2016-03-13 13:13:19 +0100 |
| commit | 1cefb73a9c067b1e2367a28b5c6852cf52d6b886 (patch) | |
| tree | 9cd855428a7569abb89f3635a1b0d9a5e3e77c91 /app/controllers | |
| parent | a3b626bf2544a1ad98651a2a2c5cdd13dc934e12 (diff) | |
| download | gitlab-ce-1cefb73a9c067b1e2367a28b5c6852cf52d6b886.tar.gz | |
Check redirect path in the continue_params
Fixes
https://dev.gitlab.org/gitlab/gitlabhq/issues/2649
https://gitlab.com/gitlab-org/gitlab-ce/issues/13956
Diffstat (limited to 'app/controllers')
| -rw-r--r-- | app/controllers/concerns/continue_to_params.rb | 13 | ||||
| -rw-r--r-- | app/controllers/projects/forks_controller.rb | 13 | ||||
| -rw-r--r-- | app/controllers/projects/imports_controller.rb | 12 |
3 files changed, 17 insertions, 21 deletions
diff --git a/app/controllers/concerns/continue_to_params.rb b/app/controllers/concerns/continue_to_params.rb new file mode 100644 index 00000000000..8b6c7051968 --- /dev/null +++ b/app/controllers/concerns/continue_to_params.rb @@ -0,0 +1,13 @@ +module ContinueToParams + extend ActiveSupport::Concern + + def continue_params + continue_params = params[:continue] + return nil unless continue_params + + continue_params = continue_params.permit(:to, :notice, :notice_now) + continue_params[:to] = root_url unless continue_params[:to].start_with?('/') + + continue_params + end +end diff --git a/app/controllers/projects/forks_controller.rb b/app/controllers/projects/forks_controller.rb index 7b202f3862f..c4884c13b12 100644 --- a/app/controllers/projects/forks_controller.rb +++ b/app/controllers/projects/forks_controller.rb @@ -1,4 +1,6 @@ class Projects::ForksController < Projects::ApplicationController + include ContinueToParams + # Authorize before_action :require_non_empty_project before_action :authorize_download_code! @@ -53,15 +55,4 @@ class Projects::ForksController < Projects::ApplicationController render :error end end - - private - - def continue_params - continue_params = params[:continue] - if continue_params - continue_params.permit(:to, :notice, :notice_now) - else - nil - end - end end diff --git a/app/controllers/projects/imports_controller.rb b/app/controllers/projects/imports_controller.rb index 196996f1752..3756fc9139c 100644 --- a/app/controllers/projects/imports_controller.rb +++ b/app/controllers/projects/imports_controller.rb @@ -1,4 +1,6 @@ class Projects::ImportsController < Projects::ApplicationController + include ContinueToParams + # Authorize before_action :authorize_admin_project! before_action :require_no_repo, only: [:new, :create] @@ -44,16 +46,6 @@ class Projects::ImportsController < Projects::ApplicationController private - def continue_params - continue_params = params[:continue] - - if continue_params - continue_params.permit(:to, :notice, :notice_now) - else - nil - end - end - def finished_notice if @project.forked? 'The project was successfully forked.' |