diff options
| author | Louise Crow <louise.crow@gmail.com> | 2013-10-02 18:31:46 +0100 |
|---|---|---|
| committer | Louise Crow <louise.crow@gmail.com> | 2013-10-02 18:31:46 +0100 |
| commit | 0ce3891bfd26d9ec3580f67a5ec5e904b5151962 (patch) | |
| tree | b0d4da98093cba4f6aa6c1285a3f26c3ffbfb2dc | |
| parent | b597d3528ac71d17c57d3ddca9950a4430f75039 (diff) | |
Don't allow redirects to another host.
| -rw-r--r-- | app/controllers/track_controller.rb | 3 | ||||
| -rw-r--r-- | spec/controllers/track_controller_spec.rb | 33 |
2 files changed, 35 insertions, 1 deletions
diff --git a/app/controllers/track_controller.rb b/app/controllers/track_controller.rb index 40fa69290..72c092221 100644 --- a/app/controllers/track_controller.rb +++ b/app/controllers/track_controller.rb @@ -181,7 +181,8 @@ class TrackController < ApplicationController if new_medium == 'delete' track_thing.destroy flash[:notice] = _("You are no longer following {{track_description}}.", :track_description => track_thing.params[:list_description]) - redirect_to params[:r] + redirect_to URI.parse(params[:r]).path + # Reuse code like this if we let medium change again. #elsif new_medium == 'email_daily' # track_thing.track_medium = new_medium diff --git a/spec/controllers/track_controller_spec.rb b/spec/controllers/track_controller_spec.rb index a16024828..57d084f6b 100644 --- a/spec/controllers/track_controller_spec.rb +++ b/spec/controllers/track_controller_spec.rb @@ -55,6 +55,39 @@ describe TrackController, "when making a new track on a request" do end +describe TrackController, "when unsubscribing from a track" do + + before do + @track_thing = FactoryGirl.create(:track_thing) + end + + it 'should destroy the track thing' do + get :update, {:track_id => @track_thing.id, + :track_medium => 'delete', + :r => 'http://example.com'}, + {:user_id => @track_thing.tracking_user.id} + TrackThing.find(:first, :conditions => ['id = ? ', @track_thing.id]).should == nil + end + + it 'should redirect to a URL on the site' do + get :update, {:track_id => @track_thing.id, + :track_medium => 'delete', + :r => '/'}, + {:user_id => @track_thing.tracking_user.id} + response.should redirect_to('/') + end + + it 'should not redirect to a url on another site' do + track_thing = FactoryGirl.create(:track_thing) + get :update, {:track_id => @track_thing.id, + :track_medium => 'delete', + :r => 'http://example.com/'}, + {:user_id => @track_thing.tracking_user.id} + response.should redirect_to('/') + end + +end + describe TrackController, "when sending alerts for a track" do render_views |