FIX: handle array in redirect param

FIX: handle array in redirect param

diff --git a/app/controllers/static_controller.rb b/app/controllers/static_controller.rb
index b940641..991c9c9 100644
--- a/app/controllers/static_controller.rb
+++ b/app/controllers/static_controller.rb
@@ -89,10 +89,11 @@ class StaticController < ApplicationController
 
     destination = path("/")
 
-    if params[:redirect].present? && !params[:redirect].match(login_path)
+    redirect_location = params[:redirect].to_s
+    if redirect_location.present? && !redirect_location.match(login_path)
       begin
         forum_uri = URI(Discourse.base_url)
-        uri = URI(params[:redirect])
+        uri = URI(redirect_location)
 
         if uri.path.present? &&
            (uri.host.blank? || uri.host == forum_uri.host) &&
diff --git a/spec/requests/static_controller_spec.rb b/spec/requests/static_controller_spec.rb
index 5553328..73ce3ff 100644
--- a/spec/requests/static_controller_spec.rb
+++ b/spec/requests/static_controller_spec.rb
@@ -283,6 +283,13 @@ describe StaticController do
       end
     end
 
+    context 'with an array' do
+      it "redirects to the root" do
+        post "/login.json", params: { redirect: ["/foo"] }
+        expect(response).to redirect_to('/')
+      end
+    end
+
     context 'when the redirect path is the login page' do
       it 'redirects to the root url' do
         post "/login.json", params: { redirect: login_path }

GitHub sha: e2636f0e

Hmmm but why? To me this feels like an abuse of the API, instead we should simply do a 400 here no cause you are sending in invalid params.

2 Likes

Done in:

3 Likes