From b21430a7f2bd3bbfa624aa126bf6e7be226178fd Mon Sep 17 00:00:00 2001
From: Eric Davis <edavis@littlestreamsoftware.com>
Date: Tue, 20 Jan 2009 14:07:54 -0800
Subject: [PATCH] Caught a bug on the exception path of
 redirect_back_or_default. #1916

---
 app/controllers/rates_controller.rb       | 3 ++-
 spec/controllers/rates_controller_spec.rb | 7 +++++++
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/app/controllers/rates_controller.rb b/app/controllers/rates_controller.rb
index fc03b66..c3a434c 100644
--- a/app/controllers/rates_controller.rb
+++ b/app/controllers/rates_controller.rb
@@ -132,12 +132,13 @@ class RatesController < ApplicationController
     if !back_url.blank?
       begin
         uri = URI.parse(back_url)
-        if uri.path.match(whitelist)
+        if uri.path && uri.path.match(whitelist)
           super
           return
         end
       rescue URI::InvalidURIError
         # redirect to default
+        logger.debug("Invalid URI sent to redirect_back_or_default: " + params[:back_url].inspect)
       end
     end
     redirect_to default
diff --git a/spec/controllers/rates_controller_spec.rb b/spec/controllers/rates_controller_spec.rb
index 9c900e2..6d008f1 100644
--- a/spec/controllers/rates_controller_spec.rb
+++ b/spec/controllers/rates_controller_spec.rb
@@ -474,5 +474,12 @@ describe RatesController, "as an administrator" do
       controller.params = { :back_url => '/back' }
       controller.send(:redirect_back_or_default, @default_url)
     end
+    
+    it "should not allow redirecting to an invalid uri" do
+      controller.should_receive(:redirect_to).with(@default_url).and_return(true)
+      controller.params = { :back_url => 'http://' }
+      controller.send(:redirect_back_or_default, @default_url)
+      
+    end
   end
 end