Fixes #36768: Prevent redirection to other hosts via HTTP referer header

ekohl · Sep 26, 2023 · 2517ba4 · 2517ba4
1 parent d0fcacd
commit 2517ba4
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 2 deletions.
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
@@ -336,7 +336,7 @@ def process_ajax_error(exception, action = nil)
   end
 
   def redirect_back_or_to(url)
-    redirect_back(fallback_location: url)
+    redirect_back(fallback_location: url, allow_other_host: false)
   end
 
   def saved_redirect_url_or(default)

diff --git a/test/controllers/users_controller_test.rb b/test/controllers/users_controller_test.rb
@@ -446,7 +446,7 @@ class UsersControllerTest < ActionController::TestCase
 
   context "when user is logged in" do
     test "#login redirects to previous url" do
-      @previous_url = "/bookmarks"
+      @previous_url = "http://test.host/bookmarks"
       get :login, session: set_session_user
       request.env['HTTP_REFERER'] = @previous_url