Improve fallback behaviour for unsafe referer redirects

author Tom Hughes <tom@compton.nu>

Tue, 23 Nov 2021 17:12:19 +0000 (17:12 +0000)

committer Tom Hughes <tom@compton.nu>

Tue, 23 Nov 2021 17:18:41 +0000 (17:18 +0000)
author Tom Hughes <tom@compton.nu>
Tue, 23 Nov 2021 17:12:19 +0000 (17:12 +0000)
committer Tom Hughes <tom@compton.nu>
Tue, 23 Nov 2021 17:18:41 +0000 (17:18 +0000)
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb

index d0898bf5e4f1b5fa098128c851c703da096c4b86..07b23ce21c814561c8266cff403a46874bb4cbb8 100644 (file)
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -397,7 +397,7 @@ class ApplicationController < ActionController::Base
        referer = nil
      end
  
-    referer.to_s
+    referer&.to_s
    end
  
    def scope_enabled?(scope)
diff --git a/app/controllers/friendships_controller.rb b/app/controllers/friendships_controller.rb

index 5cdb2a4e4323ea11645383bea4ebf94edeb2561b..93dffb4a366f6d3965aca3614147a57e54f65260 100644 (file)
--- a/app/controllers/friendships_controller.rb
+++ b/app/controllers/friendships_controller.rb
@@ -28,11 +28,9 @@ class FriendshipsController < ApplicationController
            friendship.add_error(t("friendships.make_friend.failed", :name => @new_friend.display_name))
          end
  
-        if params[:referer]
-          redirect_to safe_referer(params[:referer])
-        else
-          redirect_to user_path
-        end
+        referer = safe_referer(params[:referer]) if params[:referer]
+
+        redirect_to referer || user_path
        end
      else
        render_unknown_user params[:display_name]
@@ -51,11 +49,9 @@ class FriendshipsController < ApplicationController
            flash[:error] = t "friendships.remove_friend.not_a_friend", :name => @friend.display_name
          end
  
-        if params[:referer]
-          redirect_to safe_referer(params[:referer])
-        else
-          redirect_to user_path
-        end
+        referer = safe_referer(params[:referer]) if params[:referer]
+
+        redirect_to referer || user_path
        end
      else
        render_unknown_user params[:display_name]
diff --git a/app/controllers/messages_controller.rb b/app/controllers/messages_controller.rb

index dacd002612ec4c0ee11cdd1b6943c6cc6d7e4966..a95e2e5878d6965f31f1ae7b425828c4721017fd 100644 (file)
--- a/app/controllers/messages_controller.rb
+++ b/app/controllers/messages_controller.rb
@@ -119,8 +119,10 @@ class MessagesController < ApplicationController
      if @message.save && !request.xhr?
        flash[:notice] = t ".destroyed"
  
-      if params[:referer]
-        redirect_to safe_referer(params[:referer])
+      referer = safe_referer(params[:referer]) if params[:referer]
+
+      if referer
+        redirect_to referer
        else
          redirect_to :action => :inbox
        end
diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb

index 7e6a740f3e1a1e86ef4d4d4be5e6936959086084..bb3854e69b3d48348c394faa8dbc4ec6b2b2ac48 100644 (file)
--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@@ -34,10 +34,14 @@ class SessionsController < ApplicationController
          token&.destroy
          session.delete(:token)
        end
+
        session.delete(:user)
        session_expires_automatically
-      if params[:referer]
-        redirect_to safe_referer(params[:referer])
+
+      referer = safe_referer(params[:referer]) if params[:referer]
+
+      if referer
+        redirect_to referer
        else
          redirect_to :controller => "site", :action => "index"
        end
diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb

index 8b04167b0325191ea5fa860b2b30043ed6cf435e..b90fbea11c761f4b611368cb75b6ae5a074d8741 100644 (file)
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -44,11 +44,9 @@ class UsersController < ApplicationController
  
          flash[:notice] = { :partial => "users/terms_declined_flash" } if current_user.save
  
-        if params[:referer]
-          redirect_to safe_referer(params[:referer])
-        else
-          redirect_to user_account_path(current_user)
-        end
+        referer = safe_referer(params[:referer]) if params[:referer]
+
+        redirect_to referer || user_account_path(current_user)
        elsif params[:decline]
          redirect_to t("users.terms.declined")
        else
@@ -64,11 +62,9 @@ class UsersController < ApplicationController
          flash[:notice] = t "users.new.terms accepted" if current_user.save
        end
  
-      if params[:referer]
-        redirect_to safe_referer(params[:referer])
-      else
-        redirect_to user_account_path(current_user)
-      end
+      referer = safe_referer(params[:referer]) if params[:referer]
+
+      redirect_to referer || user_account_path(current_user)
      else
        self.current_user = session.delete(:new_user)
author	Tom Hughes <tom@compton.nu>
	Tue, 23 Nov 2021 17:12:19 +0000 (17:12 +0000)
committer	Tom Hughes <tom@compton.nu>
	Tue, 23 Nov 2021 17:18:41 +0000 (17:18 +0000)
app/controllers/application_controller.rb		patch \| blob \| history
app/controllers/friendships_controller.rb		patch \| blob \| history
app/controllers/messages_controller.rb		patch \| blob \| history
app/controllers/sessions_controller.rb		patch \| blob \| history
app/controllers/users_controller.rb		patch \| blob \| history