Merge pull request rails#5456 from brianmario/redirect-sanitization

Strip null bytes from Location header

actionpack/lib/action_controller/metal/redirecting.rb

@@ -93,7 +93,7 @@ def _compute_redirect_to_location(options)
           _compute_redirect_to_location options.call
         else
           url_for(options)
-        end.gsub(/[\r\n]/, '')
+        end.gsub(/[\0\r\n]/, '')
       end
   end
 end

actionpack/lib/action_dispatch/testing/assertions/response.rb

@@ -83,7 +83,7 @@ def normalize_argument_to_redirection(fragment)
             refer
           else
             @controller.url_for(fragment)
-          end.gsub(/[\r\n]/, '')
+          end.gsub(/[\0\r\n]/, '')
         end
 
         def validate_request!

actionpack/test/controller/redirect_test.rb

@@ -103,6 +103,14 @@ def redirect_to_with_block_and_options
     redirect_to proc { {:action => "hello_world"} }
   end
 
+  def redirect_with_header_break
+    redirect_to "/lol\r\nwat"
+  end
+
+  def redirect_with_null_bytes
+    redirect_to "\000/lol\r\nwat"
+  end
+
   def rescue_errors(e) raise e end
 
   def rescue_action(e) raise end
@@ -122,6 +130,18 @@ def test_simple_redirect
     assert_equal "http://test.host/redirect/hello_world", redirect_to_url
   end
 
+  def test_redirect_with_header_break
+    get :redirect_with_header_break
+    assert_response :redirect
+    assert_equal "http://test.host/lolwat", redirect_to_url
+  end
+
+  def test_redirect_with_null_bytes
+    get :redirect_with_header_break
+    assert_response :redirect
+    assert_equal "http://test.host/lolwat", redirect_to_url
+  end
+
   def test_redirect_with_no_status
     get :simple_redirect
     assert_response 302