FIX: handle array in redirect param

discourse · Jun 11, 2019 · e2636f0 · e2636f0 · discoursereviewbot · Jun 17, 2019
1 parent f4fd75a
commit e2636f0
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 2 deletions.
diff --git a/app/controllers/static_controller.rb b/app/controllers/static_controller.rb
@@ -89,10 +89,11 @@ def enter
 
     destination = path("/")
 
-    if params[:redirect].present? && !params[:redirect].match(login_path)
+    redirect_location = params[:redirect].to_s
+    if redirect_location.present? && !redirect_location.match(login_path)
       begin
         forum_uri = URI(Discourse.base_url)
-        uri = URI(params[:redirect])
+        uri = URI(redirect_location)
 
         if uri.path.present? &&
            (uri.host.blank? || uri.host == forum_uri.host) &&

diff --git a/spec/requests/static_controller_spec.rb b/spec/requests/static_controller_spec.rb
@@ -283,6 +283,13 @@
       end
     end
 
+    context 'with an array' do
+      it "redirects to the root" do
+        post "/login.json", params: { redirect: ["/foo"] }
+        expect(response).to redirect_to('/')
+      end
+    end
+
     context 'when the redirect path is the login page' do
       it 'redirects to the root url' do
         post "/login.json", params: { redirect: login_path }