From e50e26d7a9f4a1e4fb5ef2538c30b2b5cc81bd92 Mon Sep 17 00:00:00 2001
From: wonda-tea-coffee <lagrange.resolvent@gmail.com>
Date: Mon, 5 Dec 2022 12:27:15 +0000
Subject: [PATCH] Fix sec issue with _url_host_allowed?

Disallow certain strings from `_url_host_allowed?` to avoid a redirect
to malicious sites.

[CVE-2023-22797]
---
 .../action_controller/metal/redirecting.rb    |  6 ++-
 actionpack/test/controller/redirect_test.rb   | 38 +++++++++++++++++++
 2 files changed, 43 insertions(+), 1 deletion(-)

diff --git a/actionpack/lib/action_controller/metal/redirecting.rb b/actionpack/lib/action_controller/metal/redirecting.rb
index 721d5d3279..0ae6a48748 100644
--- a/actionpack/lib/action_controller/metal/redirecting.rb
+++ b/actionpack/lib/action_controller/metal/redirecting.rb
@@ -196,7 +196,11 @@ def _enforce_open_redirect_protection(location, allow_other_host:)
 
       def _url_host_allowed?(url)
         host = URI(url.to_s).host
-        host == request.host || host.nil? && url.to_s.start_with?("/")
+
+        return true if host == request.host
+        return false unless host.nil?
+        return false unless url.to_s.start_with?("/")
+        return !url.to_s.start_with?("//")
       rescue ArgumentError, URI::Error
         false
       end