Introduce #onsite_redirect_to helper for onsite redirects

Prefer #onsite_redirect_to to #redirect_to when using untrusted input (e.g. cookies) in the redirect destination Thanks @brynary
2025-09-22 05:50:47 +02:00 · 2013-05-07 09:41:48 +02:00 · 2013-05-07 09:41:48 +02:00 · 575341bf93
commit 575341bf93
parent 55cc030cb7
1 changed files with 18 additions and 8 deletions
--- a/app/controllers/todos_controller.rb
+++ b/app/controllers/todos_controller.rb
@ -166,7 +166,7 @@ class TodosController < ApplicationController
        format.m do
          @return_path=cookies[:mobile_url] ? cookies[:mobile_url] : mobile_path
          if @saved
-            redirect_to @return_path
+            onsite_redirect_to @return_path
          else
            @projects = current_user.projects
            @contexts = current_user.contexts
@ -413,10 +413,10 @@ class TodosController < ApplicationController
            old_path = cookies[:mobile_url]
            cookies[:mobile_url] = {:value => nil, :secure => SITE_CONFIG['secure_cookies']}
            notify(:notice, t("todos.action_marked_complete", :description => @todo.description, :completed => @todo.completed? ? 'complete' : 'incomplete'))
-           redirect_to old_path
+            onsite_redirect_to old_path
          else
            notify(:notice, t("todos.action_marked_complete", :description => @todo.description, :completed => @todo.completed? ? 'complete' : 'incomplete'))
-            redirect_to todos_path(:format => 'm')
+            onsite_redirect_to todos_path(:format => 'm')
          end
        else
          render :action => "edit", :format => :m
@ -438,10 +438,10 @@ class TodosController < ApplicationController
          old_path = cookies[:mobile_url]
          cookies[:mobile_url] = {:value => nil, :secure => SITE_CONFIG['secure_cookies']}
          notify(:notice, "Star toggled")
-          redirect_to old_path
+          onsite_redirect_to old_path
        else
          notify(:notice, "Star toggled")
-          redirect_to todos_path(:format => 'm')
+          onsite_redirect_to todos_path(:format => 'm')
        end
      }
    end
@ -892,7 +892,7 @@ class TodosController < ApplicationController
      redirect_to project_url(@project)
    else
      flash[:error] = "Could not create project from todo: #{@project.errors.full_messages[0]}"
-      redirect_to request.env["HTTP_REFERER"] || root_url
+      onsite_redirect_to request.env["HTTP_REFERER"] || root_url
    end
  end

@ -915,9 +915,9 @@ class TodosController < ApplicationController
    if cookies[:mobile_url]
      old_path = cookies[:mobile_url]
      cookies[:mobile_url] = {:value => nil, :secure => SITE_CONFIG['secure_cookies']}
-      redirect_to old_path
+      onsite_redirect_to old_path
    else
-      redirect_to todos_path(:format => 'm')
+      onsite_redirect_to todos_path(:format => 'm')
    end
  end

@ -1448,4 +1448,14 @@ class TodosController < ApplicationController

  end

+  def onsite_redirect_to(destination)
+    uri = URI.parse(destination)
+
+    if uri.query.present?
+      redirect_to("#{uri.path}?#{uri.query}")
+    else
+      redirect_to(uri.path)
+    end
+  end 
+
 end