rubygem-actionpack/CVE-2023-28362-test.patch

diff --git a/actionpack/test/controller/redirect_test.rb b/actionpack/test/controller/redirect_test.rb
index 91a8f8512b..40bd8d68da 100644
--- a/actionpack/test/controller/redirect_test.rb
+++ b/actionpack/test/controller/redirect_test.rb
@@ -104,6 +104,10 @@ def unsafe_redirect_protocol_relative_triple_slash
     redirect_to "http:///www.rubyonrails.org/"
   end
 
+  def unsafe_redirect_with_illegal_http_header_value_character
+    redirect_to "javascript:alert(document.domain)\b", allow_other_host: true
+  end
+
   def only_path_redirect
     redirect_to action: "other_host", only_path: true
   end
@@ -556,6 +560,19 @@ def test_unsafe_redirect_with_protocol_relative_triple_slash_url
     end
   end
 
+  def test_unsafe_redirect_with_illegal_http_header_value_character
+    with_raise_on_open_redirects do
+      error = assert_raise(ActionController::Redirecting::UnsafeRedirectError) do
+        get :unsafe_redirect_with_illegal_http_header_value_character
+      end
+
+      msg = "The redirect URL javascript:alert(document.domain)\b contains one or more illegal HTTP header field character. " \
+        "Set of legal characters defined in https://datatracker.ietf.org/doc/html/rfc7230#section-3.2.6"
+
+      assert_equal msg, error.message
+    end
+  end
+
   def test_only_path_redirect
     with_raise_on_open_redirects do
       get :only_path_redirect
-- 
2.39.2