Skip to content

Commit

Permalink
Added additional check when redirecting with return_to (#3631)
Browse files Browse the repository at this point in the history 
* Added additional check when redirecting with return_to

* Fixed test
  • Loading branch information
@farhatahmad
farhatahmad committed Jul 11, 2022
1 parent 2a7a086 commit 20fe1ee
Show file tree
Hide file tree
Showing 2 changed files with 4 additions and 2 deletions.
4 changes: 3 additions & 1 deletion app/controllers/concerns/authenticator.rb
View file
Expand Up @@ -50,7 +50,9 @@ def check_email_verified(user)
dont_redirect_to.push(File.join(ENV['OAUTH2_REDIRECT'], "auth", "openid_connect", "callback"))
end

url = if cookies[:return_to] && !dont_redirect_to.include?(cookies[:return_to])
valid_url = cookies[:return_to] && URI.parse(cookies[:return_to]).host == URI.parse(request.original_url).host

url = if cookies[:return_to] && valid_url && !dont_redirect_to.include?(cookies[:return_to])
cookies[:return_to]
elsif user.role.get_permission("can_create_rooms")
user.main_room
Expand Down
2 changes: 1 addition & 1 deletion spec/controllers/sessions_controller_spec.rb
View file
Expand Up @@ -171,7 +171,7 @@
user = create(:user, provider: "greenlight",
password: "Example1!", password_confirmation: 'example')

url = Faker::Internet.domain_name
url = "http://test.host/test"

@request.cookies[:return_to] = url

Expand Down

0 comments on commit 20fe1ee

Please sign in to comment.