Merge pull request #3541 from evazion/fix-3539

Fix #3539: Open redirect vulnerabilities
2018-03-08 16:02:02 -08:00
parent 418b2beae5 84a0a89f4b
commit 448ec81e97
4 changed files with 37 additions and 17 deletions
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -196,17 +196,19 @@ class ApplicationController < ActionController::Base
    @page_title = Danbooru.config.app_name + "/#{params[:controller]}"
  end

+  # Remove blank `search` params from the url.
+  #
+  # /tags?search[name]=touhou&search[category]=&search[order]=
+  # => /tags?search[name]=touhou
  def normalize_search
    if request.get?
      if params[:search].blank?
-        params[:search] = {}
+        params[:search] = ActionController::Parameters.new
      end

-      if params[:search].is_a?(Hash)
-        changed = params[:search].reject! {|k,v| v.blank?}
-        unless changed.nil?
-          redirect_to url_for(params)
-        end
+      if params[:search].is_a?(ActionController::Parameters) && params[:search].values.any?(&:blank?)
+        params[:search].reject! {|k,v| v.blank?}
+        redirect_to url_for(params: params.except(:controller, :action, :index).permit!)
      end
    end
  end