diff options
| author | Markus Koller <mkoller@gitlab.com> | 2019-06-20 20:45:01 +0300 |
|---|---|---|
| committer | Markus Koller <mkoller@gitlab.com> | 2019-06-25 14:19:30 +0300 |
| commit | db132bae1d0098dce835844bfa667c5377510d3c (patch) | |
| tree | 0b690d78e0251ab6010e76aea7960a2f815b8935 /app/controllers | |
| parent | 8fd2c08472afc3846ba28f97994a57143bc76eaf (diff) | |
Support redirect paths starting with a dash
We use a leading dash for certain things like the WebIDE, which
had the side effect of losing the `params[:continue][:to]` param when
opening the WebIDE on a project where the user doesn't have push access
and therefore needs to fork the project first.
Diffstat (limited to 'app/controllers')
| -rw-r--r-- | app/controllers/concerns/internal_redirect.rb | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/app/controllers/concerns/internal_redirect.rb b/app/controllers/concerns/internal_redirect.rb index 6785e6972d0..fa3716502a0 100644 --- a/app/controllers/concerns/internal_redirect.rb +++ b/app/controllers/concerns/internal_redirect.rb @@ -5,8 +5,8 @@ module InternalRedirect def safe_redirect_path(path) return unless path - # Verify that the string starts with a `/` but not a double `/`. - return unless path =~ %r{^/\w.*$} + # Verify that the string starts with a `/` and a known route character. + return unless path =~ %r{^/[-\w].*$} uri = URI(path) # Ignore anything path of the redirect except for the path, querystring and, |