restrict ToS url redirect to local urls; see #1813

2013-06-30 11:17:19 -04:00
parent 0dff962d9e
commit 513122c480
1 changed files with 2 additions and 1 deletions
--- a/app/controllers/static_controller.rb
+++ b/app/controllers/static_controller.rb
@@ -4,7 +4,8 @@ class StaticController < ApplicationController
  
  def accept_terms_of_service
    cookies.permanent[:accepted_tos] = "1"
-    redirect_to(params[:url] || posts_path)
+    url = params[:url] if params[:url].start_with? '/'
+    redirect_to(url || posts_path)
  end

  def error