From 052c242d74b1aff44b5d08ed664201f17792e5a4 Mon Sep 17 00:00:00 2001
From: Gareth Rees <gareth@mysociety.org>
Date: Wed, 1 Oct 2014 13:00:01 +0100
Subject: Fix unvalidated redirects

---
 app/controllers/user_controller.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'app/controllers/user_controller.rb')

diff --git a/app/controllers/user_controller.rb b/app/controllers/user_controller.rb
index baeaab18a..43eb99c58 100644
--- a/app/controllers/user_controller.rb
+++ b/app/controllers/user_controller.rb
@@ -271,7 +271,7 @@ class UserController < ApplicationController
     def signout
         self._do_signout
         if params[:r]
-            redirect_to params[:r]
+            redirect_to URI.parse(params[:r]).path
         else
             redirect_to :controller => "general", :action => "frontpage"
         end
@@ -611,7 +611,7 @@ class UserController < ApplicationController
         end
         @user.receive_email_alerts = params[:receive_email_alerts]
         @user.save!
-        redirect_to params[:came_from]
+        redirect_to URI.parse(params[:came_from]).path
     end
 
     private
-- 
cgit v1.2.3