Fix unvalidated redirects

author: Gareth Rees <gareth@mysociety.org> 2014-10-01 13:00:01 +0100
committer: Louise Crow <louise.crow@gmail.com> 2014-12-22 16:07:31 +0000
commit: a5cce7126bf2bbbfba784ea4954d16a964c88214 (patch)
tree: 2c49851dc8c685b73ea6c68f1a4058ce2bdc2ec1
parent: f9e69dfd60af6b1ca819406bf6d9a217cee1f319 (diff)
2 files changed, 3 insertions, 3 deletions
diff --git a/app/controllers/track_controller.rb b/app/controllers/track_controller.rb
index 8020c7b29..d764aaafb 100644
--- a/app/controllers/track_controller.rb
+++ b/app/controllers/track_controller.rb
@@ -214,7 +214,7 @@ class TrackController < ApplicationController
             track_thing.destroy
         end
 
-        redirect_to params[:r]
+        redirect_to URI.parse(params[:r]).path
     end
 
     # Track interest in a request from a non-logged in user
diff --git a/app/controllers/user_controller.rb b/app/controllers/user_controller.rb
index f23343ddb..f63d6a508 100644
--- a/app/controllers/user_controller.rb
+++ b/app/controllers/user_controller.rb
@@ -256,7 +256,7 @@ class UserController < ApplicationController
     def signout
         self._do_signout
         if params[:r]
-            redirect_to params[:r]
+            redirect_to URI.parse(params[:r]).path
         else
             redirect_to :controller => "general", :action => "frontpage"
         end
@@ -596,7 +596,7 @@ class UserController < ApplicationController
         end
         @user.receive_email_alerts = params[:receive_email_alerts]
         @user.save!
-        redirect_to params[:came_from]
+        redirect_to URI.parse(params[:came_from]).path
     end
 
     private
author	Gareth Rees <gareth@mysociety.org>	2014-10-01 13:00:01 +0100
committer	Louise Crow <louise.crow@gmail.com>	2014-12-22 16:07:31 +0000
commit	a5cce7126bf2bbbfba784ea4954d16a964c88214 (patch)
tree	2c49851dc8c685b73ea6c68f1a4058ce2bdc2ec1
parent	f9e69dfd60af6b1ca819406bf6d9a217cee1f319 (diff)