Merge pull request #44650 from tomhughes/relative-redirect

Allow relative redirects when `raise_on_open_redirects` is enabled

actionpack/CHANGELOG.md

@@ -1,3 +1,7 @@
+*   Allow relative redirects when `raise_on_open_redirects` is enabled
+
+    *Tom Hughes*
+
 *   Allow Content Security Policy DSL to generate for API responses.
 
     *Tim Wade*

actionpack/lib/action_controller/metal/redirecting.rb

@@ -195,7 +195,7 @@ def _enforce_open_redirect_protection(location, allow_other_host:)
       end
 
       def _url_host_allowed?(url)
-        URI(url.to_s).host == request.host
+        [request.host, nil].include?(URI(url.to_s).host)
       rescue ArgumentError, URI::Error
         false
       end

actionpack/test/controller/redirect_test.rb

@@ -88,6 +88,10 @@ def unsafe_redirect_back
     redirect_back_or_to "http://www.rubyonrails.org/"
   end
 
+  def only_path_redirect
+    redirect_to action: "other_host", only_path: true
+  end
+
   def safe_redirect_with_fallback
     redirect_to url_from(params[:redirect_url]) || "/fallback"
   end
@@ -500,6 +504,14 @@ def test_unsafe_redirect_back
     end
   end
 
+  def test_only_path_redirect
+    with_raise_on_open_redirects do
+      get :only_path_redirect
+      assert_response :redirect
+      assert_redirected_to "/redirect/other_host"
+    end
+  end
+
   def test_url_from
     with_raise_on_open_redirects do
       get :safe_redirect_with_fallback, params: { redirect_url: "http://test.host/app" }