33 lines
1.2 KiB
Diff
33 lines
1.2 KiB
Diff
|
From e50e26d7a9f4a1e4fb5ef2538c30b2b5cc81bd92 Mon Sep 17 00:00:00 2001
|
||
|
|
From: wonda-tea-coffee <lagrange.resolvent@gmail.com>
|
||
|
|
Date: Mon, 5 Dec 2022 12:27:15 +0000
|
||
|
|
Subject: [PATCH] Fix sec issue with _url_host_allowed?
|
||
|
|
|
||
|
|
Disallow certain strings from `_url_host_allowed?` to avoid a redirect
|
||
|
|
to malicious sites.
|
||
|
|
|
||
|
|
[CVE-2023-22797]
|
||
|
|
---
|
||
|
|
.../action_controller/metal/redirecting.rb | 6 ++-
|
||
|
|
actionpack/test/controller/redirect_test.rb | 38 +++++++++++++++++++
|
||
|
|
2 files changed, 43 insertions(+), 1 deletion(-)
|
||
|
|
|
||
|
|
diff --git a/actionpack/lib/action_controller/metal/redirecting.rb b/actionpack/lib/action_controller/metal/redirecting.rb
|
||
|
|
index 721d5d3279..0ae6a48748 100644
|
||
|
|
--- a/actionpack/lib/action_controller/metal/redirecting.rb
|
||
|
|
+++ b/actionpack/lib/action_controller/metal/redirecting.rb
|
||
|
|
@@ -196,7 +196,11 @@ def _enforce_open_redirect_protection(location, allow_other_host:)
|
||
|
|
|
||
|
|
def _url_host_allowed?(url)
|
||
|
|
host = URI(url.to_s).host
|
||
|
|
- host == request.host || host.nil? && url.to_s.start_with?("/")
|
||
|
|
+
|
||
|
|
+ return true if host == request.host
|
||
|
|
+ return false unless host.nil?
|
||
|
|
+ return false unless url.to_s.start_with?("/")
|
||
|
|
+ return !url.to_s.start_with?("//")
|
||
|
|
rescue ArgumentError, URI::Error
|
||
|
|
false
|
||
|
|
end
|
||
|
|
|