Fix vulnerability on open redirects

2022-06-28 18:27:55 -03:00 · 2022-06-28 18:27:55 -03:00 · 708bb9d314
commit 708bb9d314
parent 7ebda0aded
2 changed files with 16 additions and 1 deletions
--- a/actionpack/lib/action_controller/metal/redirecting.rb
+++ b/actionpack/lib/action_controller/metal/redirecting.rb
@ -195,7 +195,8 @@ def _enforce_open_redirect_protection(location, allow_other_host:)
      end

      def _url_host_allowed?(url)
-        [request.host, nil].include?(URI(url.to_s).host)
+        host = URI(url.to_s).host
+        host == request.host || host.nil? && url.to_s.start_with?("/")
      rescue ArgumentError, URI::Error
        false
      end
--- a/actionpack/test/controller/redirect_test.rb
+++ b/actionpack/test/controller/redirect_test.rb
@ -88,6 +88,10 @@ def unsafe_redirect_back
    redirect_back_or_to "http://www.rubyonrails.org/"
  end

+  def unsafe_redirect_malformed
+    redirect_to "http:///www.rubyonrails.org/"
+  end
+
  def only_path_redirect
    redirect_to action: "other_host", only_path: true
  end
@ -504,6 +508,16 @@ def test_unsafe_redirect_back
    end
  end

+  def test_unsafe_redirect_with_malformed_url
+    with_raise_on_open_redirects do
+      error = assert_raise(ActionController::Redirecting::UnsafeRedirectError) do
+        get :unsafe_redirect_malformed
+      end
+
+      assert_equal "Unsafe redirect to \"http:///www.rubyonrails.org/\", pass allow_other_host: true to redirect anyway.", error.message
+    end
+  end
+
  def test_only_path_redirect
    with_raise_on_open_redirects do
      get :only_path_redirect