diff options
| author | jomo <github@jomo.tv> | 2016-05-07 03:52:14 +0200 |
|---|---|---|
| committer | jomo <github@jomo.tv> | 2016-05-07 03:52:14 +0200 |
| commit | 1f51e9d82344ba8d3e39c38db6e720740f42f8b9 (patch) | |
| tree | 1eceb8947d2b9dd30f62ffe546a30cea67eaaa8e | |
| parent | f110d2e0add29dd595cc0cb30f0916c845f19a2d (diff) | |
allow relative return_path only, check validity
| -rw-r--r-- | app/controllers/sessions_controller.rb | 13 | ||||
| -rw-r--r-- | app/controllers/users_controller.rb | 2 |
2 files changed, 12 insertions, 3 deletions
diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb index 0e12637..b58028a 100644 --- a/app/controllers/sessions_controller.rb +++ b/app/controllers/sessions_controller.rb @@ -7,7 +7,9 @@ class SessionsController < ApplicationController flash[:alert] = "You are already logged in!" redirect_to current_user else - cookies[:return_path] = params[:return_path] if params[:return_path] + if params[:return_path] && params[:return_path][0] == "/" + cookies[:return_path] = params[:return_path] + end end end @@ -42,7 +44,14 @@ class SessionsController < ApplicationController flash[:alert] = "You are already logged in!" end if cookies[:return_path] - redirect_to cookies[:return_path] + begin + # might be invalid path + URI.parse(cookies[:return_path]) + redirect_to cookies[:return_path] + rescue URI::Error + flash[:alert] = "Invalid return path!" + redirect_to blogposts_path + end cookies.delete(:return_path) else redirect_to blogposts_path diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb index caa5f02..f53b033 100644 --- a/app/controllers/users_controller.rb +++ b/app/controllers/users_controller.rb @@ -72,7 +72,7 @@ class UsersController < ApplicationController end else flash[:alert] = "Please login first" - cookies[:return_path] = request.fullpath + cookies[:return_path] = request.env['PATH_INFO'] redirect_to login_path end end |