Merge pull request #45485 from santib/fix-open-redirects

Fix vulnerability in open redirects
rails · Jun 28, 2022 · c3c7475 · c3c7475
2 parents 7ebda0a + 708bb9d
commit c3c7475
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 1 deletion.
diff --git a/actionpack/lib/action_controller/metal/redirecting.rb b/actionpack/lib/action_controller/metal/redirecting.rb
@@ -195,7 +195,8 @@ def _enforce_open_redirect_protection(location, allow_other_host:)
       end
 
       def _url_host_allowed?(url)
-        [request.host, nil].include?(URI(url.to_s).host)
+        host = URI(url.to_s).host
+        host == request.host || host.nil? && url.to_s.start_with?("/")
       rescue ArgumentError, URI::Error
         false
       end

diff --git a/actionpack/test/controller/redirect_test.rb b/actionpack/test/controller/redirect_test.rb
@@ -88,6 +88,10 @@ def unsafe_redirect_back
     redirect_back_or_to "http://www.rubyonrails.org/"
   end
 
+  def unsafe_redirect_malformed
+    redirect_to "http:///www.rubyonrails.org/"
+  end
+
   def only_path_redirect
     redirect_to action: "other_host", only_path: true
   end
@@ -504,6 +508,16 @@ def test_unsafe_redirect_back
     end
   end
 
+  def test_unsafe_redirect_with_malformed_url
+    with_raise_on_open_redirects do
+      error = assert_raise(ActionController::Redirecting::UnsafeRedirectError) do
+        get :unsafe_redirect_malformed
+      end
+
+      assert_equal "Unsafe redirect to \"http:///www.rubyonrails.org/\", pass allow_other_host: true to redirect anyway.", error.message
+    end
+  end
+
   def test_only_path_redirect
     with_raise_on_open_redirects do
       get :only_path_redirect