@@ -30,9 +30,9 @@ module ActionController def redirect(to_url, response_status) self.headers["Status"] = response_status - self.headers["Location"] = to_url + self.headers["Location"] = to_url.gsub(/[\r\n]/, '') - self.body = "<html><body>You are being <a href=\"#{to_url}\">redirected</a>.</body></html>" + self.body = "<html><body>You are being <a href=\"#{CGI.escapeHTML(to_url)}\">redirected</a>.</body></html>" end def prepare! actionpack/lib/action_controller/response.rb e8577991dcc47bcb11f99fd6582ee2a3f8270498 Michael Koziarski NZKoz michael@koziarski.com http://github.com/rails/rails/commit/7282ed863ca7e6f928bae9162c9a63a98775a19d 7282ed863ca7e6f928bae9162c9a63a98775a19d 2008-10-14T02:47:27-07:00 2008-10-14T02:47:27-07:00 Sanitize the URLs passed to redirect_to to prevent a potential response spli CGI.rb and mongrel don't do any sanitization of the contents of HTTP headers 3b6538fbe789c28a6a452566517272105630f6fe Michael Koziarski NZKoz michael@koziarski.com