diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index a3eaec4bb..83b30d45d 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -511,11 +511,9 @@ class ApplicationController < ActionController::Base if uri.send(component).present? && uri.send(component) != request.send(component) return false end - - uri.send(:"#{component}=", nil) end - # Always ignore basic user:password in the URL - uri.userinfo = nil + # Remove unnecessary components to convert the URL into a relative URL + uri.omit!(:scheme, :userinfo, :host, :port) rescue Addressable::URI::InvalidURIError return false end diff --git a/test/functional/account_controller_test.rb b/test/functional/account_controller_test.rb index e62dce943..31ba88fb5 100644 --- a/test/functional/account_controller_test.rb +++ b/test/functional/account_controller_test.rb @@ -658,4 +658,22 @@ class AccountControllerTest < Redmine::ControllerTest end end end + + def test_validate_back_url + request.host = 'example.com' + + assert_equal '/admin', @controller.send(:validate_back_url, 'http://example.com/admin') + assert_equal '/admin', @controller.send(:validate_back_url, 'http://dlopper:foo@example.com/admin') + assert_equal '/issues?query_id=1#top', @controller.send(:validate_back_url, 'http://example.com/issues?query_id=1#top') + assert_equal false, @controller.send(:validate_back_url, 'http://invalid.example.com/issues') + end + + def test_validate_back_url_with_port + request.host = 'example.com:3000' + + assert_equal '/admin', @controller.send(:validate_back_url, 'http://example.com:3000/admin') + assert_equal '/admin', @controller.send(:validate_back_url, 'http://dlopper:foo@example.com:3000/admin') + assert_equal '/issues?query_id=1#top', @controller.send(:validate_back_url, 'http://example.com:3000/issues?query_id=1#top') + assert_equal false, @controller.send(:validate_back_url, 'http://invalid.example.com:3000/issues') + end end