From 1f51e9d82344ba8d3e39c38db6e720740f42f8b9 Mon Sep 17 00:00:00 2001
From: jomo <github@jomo.tv>
Date: Sat, 7 May 2016 03:52:14 +0200
Subject: allow relative return_path only, check validity

---
 app/controllers/sessions_controller.rb | 13 +++++++++++--
 app/controllers/users_controller.rb    |  2 +-
 2 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb
index 0e12637..b58028a 100644
--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@@ -7,7 +7,9 @@ class SessionsController < ApplicationController
       flash[:alert] = "You are already logged in!"
       redirect_to current_user
     else
-      cookies[:return_path] = params[:return_path] if params[:return_path]
+      if params[:return_path] && params[:return_path][0] == "/"
+        cookies[:return_path] = params[:return_path]
+      end
     end
   end
 
@@ -42,7 +44,14 @@ class SessionsController < ApplicationController
       flash[:alert] = "You are already logged in!"
     end
     if cookies[:return_path]
-      redirect_to cookies[:return_path]
+      begin
+        # might be invalid path
+        URI.parse(cookies[:return_path])
+        redirect_to cookies[:return_path]
+      rescue URI::Error
+        flash[:alert] = "Invalid return path!"
+        redirect_to blogposts_path
+      end
       cookies.delete(:return_path)
     else
       redirect_to blogposts_path
diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index caa5f02..f53b033 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -72,7 +72,7 @@ class UsersController < ApplicationController
       end
     else
       flash[:alert] = "Please login first"
-      cookies[:return_path] = request.fullpath
+      cookies[:return_path] = request.env['PATH_INFO']
       redirect_to login_path
     end
   end
-- 
cgit v1.2.3