refs #9 - fix for usability problem.

Fix for this problem: https://github.com/ninech/redmine_cas/pull/13#issuecomment-53697288
2014-09-16 17:17:58 +02:00 · 2014-09-16 17:17:58 +02:00 · 38d025cc2b
parent bd22c5b3ff
commit 38d025cc2b
2 changed files with 23 additions and 3 deletions
--- a/lib/redmine_cas/account_controller_patch.rb
+++ b/lib/redmine_cas/account_controller_patch.rb
@ -48,7 +48,24 @@ module RedmineCAS
          else
            self.logged_user = user
          end
-          redirect_to url_for(params.merge(:ticket => nil))
+
+          # If a parameter :ref exists, redirect to :ref. This is a workaround for the
+          # usability problem I introduced trying to fix issue #9.
+          # https://github.com/ninech/redmine_cas/pull/13#issuecomment-53697288
+
+          if params.has_key?(:ref)
+            # do some basic validation on ref, to prevent a malicious link to redirect
+            # to another site.
+            new_url = params[:ref]
+            if /http(s)?:\/\/|@/ =~ new_url
+              # evil referrer!
+              redirect_to url_for(params.merge(:ticket => nil))
+            else
+              redirect_to request.base_url + params[:ref]
+            end
+          else
+            redirect_to url_for(params.merge(:ticket => nil))
+          end
        else
          # CASClient called redirect_to
        end
--- a/lib/redmine_cas/application_controller_patch.rb
+++ b/lib/redmine_cas/application_controller_patch.rb
@ -14,9 +14,12 @@ module RedmineCAS
      def require_login_with_cas
        return require_login_without_cas unless RedmineCAS.enabled?
        if !User.current.logged?
+          referrer = request.fullpath;
          respond_to do |format|
-            format.html { redirect_to :controller => 'account', :action => 'cas' }
-            format.atom { redirect_to :controller => 'account', :action => 'cas' }
+            # pass referer to cas action, to work around this problem:
+            # https://github.com/ninech/redmine_cas/pull/13#issuecomment-53697288
+            format.html { redirect_to :controller => 'account', :action => 'cas', :ref => referrer }
+            format.atom { redirect_to :controller => 'account', :action => 'cas', :ref => referrer }
            format.xml  { head :unauthorized, 'WWW-Authenticate' => 'Basic realm="Redmine API"' }
            format.js   { head :unauthorized, 'WWW-Authenticate' => 'Basic realm="Redmine API"' }
            format.json { head :unauthorized, 'WWW-Authenticate' => 'Basic realm="Redmine API"' }