Skip to content

Commit

Permalink
Release v1.2.2 with harderned local url redirect
Browse files Browse the repository at this point in the history
  • Loading branch information
@chrismccord
chrismccord committed Mar 14, 2017
1 parent aa99735 commit 170e29b
Show file tree
Hide file tree
Showing 7 changed files with 27 additions and 14 deletions.
5 changes: 5 additions & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,11 @@
# Changelog


## 1.2.2 (2017-3-14)

* Big Fixes
* [Controller] Harden local redirect against arbitrary URL redirection

## 1.2.1 (2016-8-11)

* Enhancements
Expand Down
2 changes: 1 addition & 1 deletion installer/lib/phoenix_new.ex
View file
Original file line number Diff line number Diff line change
Expand Up @@ -491,7 +491,7 @@ defmodule Mix.Tasks.Phoenix.New do
:crypto.strong_rand_bytes(length) |> Base.encode64 |> binary_part(0, length)
end

defp phoenix_dep("deps/phoenix"), do: ~s[{:phoenix, "~> 1.2.1"}]
defp phoenix_dep("deps/phoenix"), do: ~s[{:phoenix, "~> 1.2.2"}]
# defp phoenix_dep("deps/phoenix"), do: ~s[{:phoenix, github: "phoenixframework/phoenix", override: true}]
defp phoenix_dep(path), do: ~s[{:phoenix, path: #{inspect path}, override: true}]

Expand Down
2 changes: 1 addition & 1 deletion installer/mix.exs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ defmodule Phoenix.New.Mixfile do

def project do
[app: :phoenix_new,
version: "1.2.1",
version: "1.2.2",
elixir: "~> 1.2"]
end

Expand Down
24 changes: 14 additions & 10 deletions lib/phoenix/controller.ex
View file
Original file line number Diff line number Diff line change
Expand Up @@ -306,18 +306,22 @@ defmodule Phoenix.Controller do

defp url(opts) do
cond do
to = opts[:to] ->
case to do
"//" <> _ -> raise_invalid_url(to)
"/" <> _ -> to
_ -> raise_invalid_url(to)
end
external = opts[:external] ->
external
true ->
raise ArgumentError, "expected :to or :external option in redirect/2"
to = opts[:to] -> validate_local_url(to)
external = opts[:external] -> external
true -> raise ArgumentError, "expected :to or :external option in redirect/2"
end
end
@invalid_local_url_chars ["\\"]
defp validate_local_url("//" <> _ = to), do: raise_invalid_url(to)
defp validate_local_url("/" <> _ = to) do
if String.contains?(to, @invalid_local_url_chars) do
raise ArgumentError, "unsafe characters detected for local redirect in URL #{inspect to}"
else
to
end
end
defp validate_local_url(to), do: raise_invalid_url(to)

@spec raise_invalid_url(term()) :: no_return()
defp raise_invalid_url(url) do
raise ArgumentError, "the :to option in redirect expects a path but was #{inspect url}"
Expand Down
2 changes: 1 addition & 1 deletion mix.exs
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
defmodule Phoenix.Mixfile do
use Mix.Project

@version "1.2.1"
@version "1.2.2"

def project do
[app: :phoenix,
Expand Down
2 changes: 1 addition & 1 deletion mix.lock
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
%{"cowboy": {:hex, :cowboy, "1.0.4", "a324a8df9f2316c833a470d918aaf73ae894278b8aa6226ce7a9bf699388f878", [:rebar, :make], [{:cowlib, "~> 1.0.0", [hex: :cowlib, optional: false]}, {:ranch, "~> 1.0", [hex: :ranch, optional: false]}]},
%{"cowboy": {:hex, :cowboy, "1.0.4", "a324a8df9f2316c833a470d918aaf73ae894278b8aa6226ce7a9bf699388f878", [:make, :rebar], [{:cowlib, "~> 1.0.0", [hex: :cowlib, optional: false]}, {:ranch, "~> 1.0", [hex: :ranch, optional: false]}]},
"cowlib": {:hex, :cowlib, "1.0.2", "9d769a1d062c9c3ac753096f868ca121e2730b9a377de23dec0f7e08b1df84ee", [:make], []},
"earmark": {:hex, :earmark, "0.2.1", "ba6d26ceb16106d069b289df66751734802777a3cbb6787026dd800ffeb850f3", [:mix], []},
"ex_doc": {:hex, :ex_doc, "0.12.0", "b774aabfede4af31c0301aece12371cbd25995a21bb3d71d66f5c2fe074c603f", [:mix], [{:earmark, "~> 0.2", [hex: :earmark, optional: false]}]},
Expand Down
4 changes: 4 additions & 0 deletions test/phoenix/controller/controller_test.exs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -239,6 +239,10 @@ defmodule Phoenix.Controller.ControllerTest do
assert_raise ArgumentError, ~r/the :to option in redirect expects a path/, fn ->
redirect(conn(:get, "/"), to: "//example.com")
end

assert_raise ArgumentError, ~r/unsafe/, fn ->
redirect(conn(:get, "/"), to: "/\\example.com")
end
end

test "redirect/2 with :external" do
Expand Down

0 comments on commit 170e29b

Please sign in to comment.