Fix the Redirect warnings from Brakeman

Unfortunately I've had to leave the check disabed as Brakeman
can't see inside the safe_referer method so doesn't realise that
it is cleaning the referer.

app/controllers/application_controller.rb

@@ -65,7 +65,7 @@ def require_cookies
     if request.cookies["_osm_session"].to_s == ""
       if params[:cookie_test].nil?
         session[:cookie_test] = true
-        redirect_to params.to_unsafe_h.merge(:cookie_test => "true")
+        redirect_to params.to_unsafe_h.merge(:only_path => true, :cookie_test => "true")
         false
       else
         flash.now[:warning] = t "application.require_cookies.cookies_needed"
@@ -372,4 +372,19 @@ def get_auth_data
 
   # override to stop oauth plugin sending errors
   def invalid_oauth_response; end
+
+  # clean any referer parameter
+  def safe_referer(referer)
+    referer = URI.parse(referer)
+
+    if referer.scheme == "http" || referer.scheme == "https"
+      referer.scheme = nil
+      referer.host = nil
+      referer.port = nil
+    elsif referer.scheme || referer.host || referer.port
+      referer = nil
+    end
+
+    referer.to_s
+  end
 end

app/controllers/friendships_controller.rb

@@ -27,7 +27,7 @@ def make_friend
         end
 
         if params[:referer]
-          redirect_to params[:referer]
+          redirect_to safe_referer(params[:referer])
         else
           redirect_to user_path
         end
@@ -50,7 +50,7 @@ def remove_friend
         end
 
         if params[:referer]
-          redirect_to params[:referer]
+          redirect_to safe_referer(params[:referer])
         else
           redirect_to user_path
         end

app/controllers/messages_controller.rb

@@ -120,7 +120,7 @@ def destroy
       flash[:notice] = t ".destroyed"
 
       if params[:referer]
-        redirect_to params[:referer]
+        redirect_to safe_referer(params[:referer])
       else
         redirect_to :action => :inbox
       end

app/controllers/site_controller.rb

@@ -17,39 +17,32 @@ def index
 
   def permalink
     lon, lat, zoom = ShortLink.decode(params[:code])
-    new_params = params.except(:code, :lon, :lat, :zoom, :layers, :node, :way, :relation, :changeset)
+    new_params = params.except(:host, :controller, :action, :code, :lon, :lat, :zoom, :layers, :node, :way, :relation, :changeset)
 
     if new_params.key? :m
       new_params.delete :m
       new_params[:mlat] = lat
       new_params[:mlon] = lon
     end
 
-    if params.key? :node
-      new_params[:controller] = "browse"
-      new_params[:action] = "node"
-      new_params[:id] = params[:node]
-    elsif params.key? :way
-      new_params[:controller] = "browse"
-      new_params[:action] = "way"
-      new_params[:id] = params[:way]
-    elsif params.key? :relation
-      new_params[:controller] = "browse"
-      new_params[:action] = "relation"
-      new_params[:id] = params[:relation]
-    elsif params.key? :changeset
-      new_params[:controller] = "browse"
-      new_params[:action] = "changeset"
-      new_params[:id] = params[:changeset]
-    else
-      new_params[:controller] = "site"
-      new_params[:action] = "index"
-    end
-
     new_params[:anchor] = "map=#{zoom}/#{lat}/#{lon}"
     new_params[:anchor] += "&layers=#{params[:layers]}" if params.key? :layers
 
-    redirect_to new_params.to_unsafe_h
+    options = new_params.to_unsafe_h.to_options
+
+    path = if params.key? :node
+             node_path(params[:node], options)
+           elsif params.key? :way
+             way_path(params[:way], options)
+           elsif params.key? :relation
+             relation_path(params[:relation], options)
+           elsif params.key? :changeset
+             changeset_path(params[:changeset], options)
+           else
+             root_url(options)
+           end
+
+    redirect_to path
   end
 
   def key
@@ -166,6 +159,6 @@ def redirect_map_params
       anchor << "layers=N"
     end
 
-    redirect_to params.to_unsafe_h.merge(:anchor => anchor.join("&")) if anchor.present?
+    redirect_to params.to_unsafe_h.merge(:only_path => true, :anchor => anchor.join("&")) if anchor.present?
   end
 end

app/controllers/users_controller.rb

@@ -43,7 +43,7 @@ def save
         flash[:notice] = t("users.new.terms declined", :url => t("users.new.terms declined url")).html_safe if current_user.save
 
         if params[:referer]
-          redirect_to params[:referer]
+          redirect_to safe_referer(params[:referer])
         else
           redirect_to :action => :account, :display_name => current_user.display_name
         end
@@ -63,7 +63,7 @@ def save
       end
 
       if params[:referer]
-        redirect_to params[:referer]
+        redirect_to safe_referer(params[:referer])
       else
         redirect_to :action => :account, :display_name => current_user.display_name
       end
@@ -198,7 +198,11 @@ def reset_password
 
   def new
     @title = t "users.new.title"
-    @referer = params[:referer] || session[:referer]
+    @referer = if params[:referer]
+                 safe_referer(params[:referer])
+               else
+                 session[:referer]
+               end
 
     append_content_security_policy_directives(
       :form_action => %w[accounts.google.com *.facebook.com login.live.com github.com meta.wikimedia.org]
@@ -231,7 +235,9 @@ def create
     self.current_user = User.new(user_params)
 
     if check_signup_allowed(current_user.email)
-      session[:referer] = params[:referer]
+      session[:referer] = safe_referer(params[:referer]) if params[:referer]
+
+      Rails.logger.info "create: #{session[:referer]}"
 
       current_user.status = "pending"
 
@@ -258,7 +264,7 @@ def create
   end
 
   def login
-    session[:referer] = params[:referer] if params[:referer]
+    session[:referer] = safe_referer(params[:referer]) if params[:referer]
 
     if params[:username].present? && params[:password].present?
       session[:remember_me] ||= params[:remember_me]
@@ -278,7 +284,7 @@ def logout
       session.delete(:user)
       session_expires_automatically
       if params[:referer]
-        redirect_to params[:referer]
+        redirect_to safe_referer(params[:referer])
       else
         redirect_to :controller => "site", :action => "index"
       end
@@ -300,7 +306,7 @@ def confirm
         user.email_valid = true
         flash[:notice] = gravatar_status_message(user) if gravatar_enable(user)
         user.save!
-        referer = token.referer
+        referer = safe_referer(token.referer) if token.referer
         token.destroy
 
         if session[:token]