evazion 37f2d5925f sessions: fix open redirect in login page. ...

Fix an open redirect exploit where if you went to <https://danbooru.donmai.us/login?url=//fakebooru.com>,
then after you logged in you would be redirected to https://fakebooru.com.

This was actually fixed by the upgrade to Rails 7.0. `redirect_to` now
raises an `UnsafeRedirectError` on redirect to an offsite URL. Before we
tried to prevent offsite redirects by checking that the URL started with
a slash, but this was insufficient - it allowed protocol-relative URLs
like `//fakebooru.com`.

Add a test case for protocol-relative URLs and return a 403 error on an
offsite redirect.

2022-01-07 21:11:04 -06:00

..

components

tests: fix broken tests.

2021-12-16 01:38:06 -06:00

factories

jobs: update jobs dashboard to work with GoodJob.

2022-01-02 21:21:04 -06:00

files

posts: fix calculation of animated PNG duration.

2021-10-06 21:04:36 -05:00

fixtures/stripe-webhooks

user upgrades: upgrade to new Stripe checkout system.

2020-12-24 19:58:29 -06:00

functional

sessions: fix open redirect in login page.

2022-01-07 21:11:04 -06:00

helpers

…

jobs

aliases/implications: change automatic retirement rules.

2021-11-05 05:46:50 -05:00

mailers/previews

users: add new owner level.

2020-12-13 21:18:24 -06:00

system

remove references to locks

2021-10-24 15:16:48 -03:00

test_helpers

tests: fix test failures when running without API keys.

2021-09-22 04:33:36 -05:00

unit

tests: fix broken tests.

2022-01-07 14:44:24 -06:00

.rubocop.yml

ci: use more permissive rubocop / codeclimate settings.

2020-06-15 16:45:37 -05:00

application_system_test_case.rb

…

test_helper.rb

storage manager: refactor base_dir option.

2021-10-29 07:14:21 -05:00