Redmine

As reported, I have confirmed the issue where passing a URL containing a port number, such as http://localhost:3000/admin, to the ApplicationController#validate_back_url method results in false being returned.

Inside the validate_back_url method, there is a process that removes the protocol, hostname, and port number from the provided URL. Specifically, the following code is responsible for this:

uri = Addressable::URI.parse(back_url)
[:scheme, :host, :port].each do |component|
  if uri.send(component).present? && uri.send(component) != request.send(component)
    return false
  end

  uri.send(:"#{component}=", nil)
end

In this code, the protocol, hostname, and port number are removed sequentially from the Addressable::URI object created from the given URL. However, when processing in this order, an exception occurs when attempting to remove the hostname. This happens because removing the hostname leaves the URL in a state where it has a port number but no hostname, resulting in the following exception:

Addressable::URI::InvalidURIError: Hostname not supplied: '/admin'

As suggested in the proposed patch, this issue can be resolved by removing the port number before removing the hostname. This adjustment ensures that the URL remains valid during the process.

Setting the target version to 6.0.3.

Here is a new patch. I have updated the code to use the omit! method, as I suggested in #note-3, to remove unnecessary components from the URI object. By using omit! to remove multiple components at once, we no longer need to worry about the order in which the components are removed.

Additionally, the current code has a bug where it throws an exception when a URL contains Basic authentication information (e.g., http://user:password@redmine.example.net) during the uri.send(:"host=") step. This patch also fixes that issue.

Committed the patch in r23465. Thank you for your contribution.

Merged the fix into the 6.0-stable branch in r23467.