Sanitize the URLs passed to redirect_to to prevent a potential respon…

…se splitting attack. CGI.rb and mongrel don't do any sanitization of the contents of HTTP headers, so care needs to be taken.
rails · Oct 19, 2008 · ba80ff7 · ba80ff7
1 parent de0ed53
commit ba80ff7
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/actionpack/lib/action_controller/response.rb b/actionpack/lib/action_controller/response.rb
@@ -114,8 +114,8 @@ def etag=(etag)
 
     def redirect(url, status)
       self.status = status
-      self.location = url
-      self.body = "<html><body>You are being <a href=\"#{url}\">redirected</a>.</body></html>"
+      self.location = url.gsub(/[\r\n]/, '')
+      self.body = "<html><body>You are being <a href=\"#{CGI.escapeHTML(url)}\">redirected</a>.</body></html>"
     end
 
     def sending_file?