New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Don’t allow arbitrary data in back urls #22180

Merged
merged 1 commit into from Nov 4, 2015

Conversation

Projects
None yet
4 participants
@ExMember
Contributor

ExMember commented Nov 4, 2015

link_to :back creates a link to whatever was
passed in via the referer header. If an attacker
can alter the referer header, that would create
a cross-site scripting vulnerability on every
page that uses link_to :back

This commit restricts the back URL to valid
non-javascript URLs.

#14444

Don’t allow arbitrary data in back urls
`link_to :back` creates a link to whatever was
passed in via the referer header. If an attacker
can alter the referer header, that would create
a cross-site scripting vulnerability on every
page that uses `link_to :back`

This commit restricts the back URL to valid
non-javascript URLs.

#14444
@rails-bot

This comment has been minimized.

rails-bot commented Nov 4, 2015

Thanks for the pull request, and welcome! The Rails team is excited to review your changes, and you should hear from @carlosantoniodasilva (or someone else) soon.

If any changes to this PR are deemed necessary, please add them as extra commits. This ensures that the reviewer can see what has changed since they last reviewed the code. Due to the way GitHub handles out-of-date commits, this should also make it reasonably obvious what issues have or haven't been addressed. Large or tricky changes may require several passes of review and changes.

Please see the contribution instructions for more information.

rafaelfranca added a commit that referenced this pull request Nov 4, 2015

@rafaelfranca rafaelfranca merged commit e8b2c05 into rails:master Nov 4, 2015

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment