Skip to content

Allow relative redirects when raise_on_open_redirects is enabled #44650

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Mar 10, 2022
Merged

Allow relative redirects when raise_on_open_redirects is enabled #44650

merged 1 commit into from
Mar 10, 2022

Conversation

tomhughes
Copy link
Contributor

Summary

Redirecting to a URL generated with only_path: true should be allowed when open redirect protection is enabled because a relative URL with no host refers to the same host.

@rails-bot rails-bot bot added the actionpack label Mar 10, 2022
@tenderlove tenderlove merged commit 1bca3cc into rails:main Mar 10, 2022
@tomhughes tomhughes deleted the relative-redirect branch March 10, 2022 17:33
rafaelfranca pushed a commit that referenced this pull request Mar 14, 2022
@tenderlove @rafaelfranca
Merge pull request #44650 from tomhughes/relative-redirect
2d61b34 
Allow relative redirects when `raise_on_open_redirects` is enabled
brucebolt added a commit to alphagov/signon that referenced this pull request Apr 13, 2022
@brucebolt
Resolve issue with redirect_back_or_toin Rails 7.0.2.3
49d00f0 
Rails 7.0.2.3 has a bug where `redirect_back_or_to` (the replacement for
`redirect_back`) does not work for relative URLs.

This has been resolved in rails/rails#44650 but
has not yet been included in a release of Rails.

Therefore creating our own workaround, which can be removed once Rails
is upgraded to a version containing this fix.
brucebolt added a commit to alphagov/signon that referenced this pull request Apr 13, 2022
@brucebolt
Resolve issue with redirect_back_or_to in Rails 7.0.2.3
ee6fd5c 
Rails 7.0.2.3 has a bug where `redirect_back_or_to` (the replacement for
`redirect_back`) does not work for relative URLs.

This has been resolved in rails/rails#44650 but
has not yet been included in a release of Rails.

Therefore creating our own workaround, which can be removed once Rails
is upgraded to a version containing this fix.
brucebolt added a commit to alphagov/signon that referenced this pull request Apr 13, 2022
@brucebolt
Resolve issue with redirect_back_or_to in Rails 7.0.2.3
caf1a5a 
Rails 7.0.2.3 has a bug where `redirect_back_or_to` (the replacement for
`redirect_back`) does not work for relative URLs.

This has been resolved in rails/rails#44650 but
has not yet been included in a release of Rails.

Therefore creating our own workaround, which can be removed once Rails
is upgraded to a version containing this fix.
brucebolt added a commit to alphagov/signon that referenced this pull request Apr 13, 2022
@brucebolt
Resolve issue with redirect_back_or_to in Rails 7.0.2.3
b8aa903 
Rails 7.0.2.3 has a bug where `redirect_back_or_to` (the replacement for
`redirect_back`) does not work for relative URLs.

This has been resolved in rails/rails#44650 but
has not yet been included in a release of Rails.

Therefore creating our own workaround, which can be removed once Rails
is upgraded to a version containing this fix.
brucebolt added a commit to alphagov/signon that referenced this pull request Apr 13, 2022
@brucebolt
Resolve issue with redirect_back_or_to in Rails 7.0.2.3
5effdca 
Rails 7.0.2.3 has a bug where `redirect_back_or_to` (the replacement for
`redirect_back`) does not work for relative URLs.

This has been resolved in rails/rails#44650 but
has not yet been included in a release of Rails.

Therefore creating our own workaround, which can be removed once Rails
is upgraded to a version containing this fix.
brucebolt added a commit to alphagov/signon that referenced this pull request Apr 14, 2022
@brucebolt
Resolve issue with redirect_back_or_to in Rails 7.0.2.3
92a81c7 
Rails 7.0.2.3 has a bug where `redirect_back_or_to` (the replacement for
`redirect_back`) does not work for relative URLs.

This has been resolved in rails/rails#44650 but
has not yet been included in a release of Rails.

Therefore creating our own workaround, which can be removed once Rails
is upgraded to a version containing this fix.
@santib santib mentioned this pull request Jun 28, 2022
Merged
@miquelbarba miquelbarba mentioned this pull request Aug 17, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
actionpack
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@tomhughes @tenderlove