Fix exception when X-XHR-Referer isn't a invalid a URI

turbolinks · Feb 28, 2015 · 1a7f31f · 1a7f31f
1 parent 91d8cc8
commit 1a7f31f
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 2 deletions.
diff --git a/lib/turbolinks/x_domain_blocker.rb b/lib/turbolinks/x_domain_blocker.rb
@@ -11,11 +11,12 @@ def same_origin?(a, b)
       end
 
       def abort_xdomain_redirect
-        to_uri = response.headers['Location'] || ""
-        current = request.headers['X-XHR-Referer'] || ""
+        to_uri = response.headers['Location']
+        current = request.headers['X-XHR-Referer']
         unless to_uri.blank? || current.blank? || same_origin?(current, to_uri)
           self.status = 403
         end
+      rescue URI::InvalidURIError
       end
   end
 end
diff --git a/test/turbolinks/turbolinks_test.rb b/test/turbolinks/turbolinks_test.rb
@@ -20,6 +20,10 @@ def redirect_to_different_protocol
   def redirect_to_back
     redirect_to :back
   end
+
+  def redirect_to_unescaped_path
+    redirect_to "#{request.protocol}#{request.host}/foo bar"
+  end
 end
 
 class TurbolinksTest < ActionController::TestCase
@@ -94,4 +98,22 @@ def test_changes_status_to_403_on_turbolinks_requests_redirecting_to_different_o
     get :redirect_to_same_origin
     assert_response :redirect
   end
+
+  def test_handles_invalid_xhr_referer_on_redirection
+    @request.headers['X-XHR-Referer'] = ':'
+    get :redirect_to_same_origin
+    assert_response :redirect
+  end
+
+  def test_handles_unescaped_same_origin_location_on_redirection
+    @request.headers['X-XHR-Referer'] = 'http://test.host/'
+    get :redirect_to_unescaped_path
+    assert_response :redirect
+  end
+
+  def test_handles_unescaped_different_origin_location_on_redirection
+    @request.headers['X-XHR-Referer'] = 'https://test.host/'
+    get :redirect_to_unescaped_path
+    assert_response :forbidden
+  end
 end