Caught a bug on the exception path of redirect_back_or_default. #1916

2009-01-20 14:07:54 -08:00
parent 099e87fda8
commit b21430a7f2
2 changed files with 9 additions and 1 deletions
--- a/app/controllers/rates_controller.rb
+++ b/app/controllers/rates_controller.rb
@@ -132,12 +132,13 @@ class RatesController < ApplicationController
    if !back_url.blank?
      begin
        uri = URI.parse(back_url)
-        if uri.path.match(whitelist)
+        if uri.path && uri.path.match(whitelist)
          super
          return
        end
      rescue URI::InvalidURIError
        # redirect to default
+        logger.debug("Invalid URI sent to redirect_back_or_default: " + params[:back_url].inspect)
      end
    end
    redirect_to default
--- a/spec/controllers/rates_controller_spec.rb
+++ b/spec/controllers/rates_controller_spec.rb
@@ -474,5 +474,12 @@ describe RatesController, "as an administrator" do
      controller.params = { :back_url => '/back' }
      controller.send(:redirect_back_or_default, @default_url)
    end
+    
+    it "should not allow redirecting to an invalid uri" do
+      controller.should_receive(:redirect_to).with(@default_url).and_return(true)
+      controller.params = { :back_url => 'http://' }
+      controller.send(:redirect_back_or_default, @default_url)
+      
+    end
  end
 end