Commit 7282ed863ca7e6f928bae9162c9a63a98775a19d to rails's rails

7282ed8
all branches
- 1-2-stable
- 2-0-stable
- 2-1-stable
- 2-2-stable
- 2-3-stable
- 3-0-unstable
- HEAD
- master
all tags
- v0.9.1
- v0.9.2
- v0.9.3
- v0.9.4
- v0.9.4.1
- v0.9.5
- v0.10.0
- v0.10.1
- v0.11.0
- v0.11.1
- v0.12.0
- v0.13.0
- v0.13.1
- v0.14.1
- v0.14.2
- v0.14.3
- v0.14.4
- v1.0.0
- v1.1.0
- v1.1.0_RC1
- v1.1.1
- v1.1.2
- v1.1.3
- v1.1.4
- v1.1.5
- v1.1.6
- v1.2.0
- v1.2.0_RC1
- v1.2.0_RC2
- v1.2.1
- v1.2.2
- v1.2.3
- v1.2.4
- v1.2.5
- v1.2.6
- v2.0.0
- v2.0.0_PR
- v2.0.0_RC1
- v2.0.0_RC2
- v2.0.1
- v2.0.2
- v2.0.3
- v2.0.4
- v2.0.5
- v2.1.0
- v2.1.0_RC1
- v2.1.1
- v2.1.2
- v2.2.0
- v2.2.1
- v2.2.2
- v2.3.0
- v2.3.1
- v2.3.2
- v2.3.2.1
comments

rails / rails

668

3817

Description:	Ruby on Rails edit
Homepage:	http://rubyonrails.org edit
Public Clone URL:	git://github.com/rails/rails.git Give this clone URL to anyone. `git clone git://github.com/rails/rails.git`
Your Clone URL:	git@github.com:rails/rails.git Use this clone URL yourself. `git clone git@github.com:rails/rails.git`

Sanitize the URLs passed to redirect_to to prevent a potential response spli

CGI.rb and mongrel don't do any sanitization of the contents of HTTP headers

NZKoz (author)

Tue Oct 14 02:47:27 -0700 2008

commit 7282ed863ca7e6f928bae9162c9a63a98775a19d
tree 3b6538fbe789c28a6a452566517272105630f6fe
parent e8577991dcc47bcb11f99fd6582ee2a3f8270498

actionpack/lib/action_controller/response.rb

actionpack/lib/action_controller/response.rb

0
@@ -30,9 +30,9 @@ module ActionController
0
 
0
     def redirect(to_url, response_status)
0
       self.headers["Status"] = response_status
0
-      self.headers["Location"] = to_url
0
+      self.headers["Location"] = to_url.gsub(/[\r\n]/, '')
0
 
0
-      self.body = "<html><body>You are being <a href=\"#{to_url}\">redirected</a>.</body></html>"
0
+      self.body = "<html><body>You are being <a href=\"#{CGI.escapeHTML(to_url)}\">redirected</a>.</body></html>"
0
     end
0
 
0
     def prepare!

Comments