[DRE-commits] [redmine] 01/02: [CVE-2014-1985]: fix open redirector issue

[Ondrej Sury]

This is an automated email from the git hooks/post-receive script.

ondrej pushed a commit to branch master-stable
in repository redmine.

commit 472fc07b348c9b3ebd992632c9e9540075756035
Author: Ondřej Surý <ondrej at sury.org>
Date:   Wed Jul 16 12:27:28 2014 +0200

    [CVE-2014-1985]: fix open redirector issue
---
 debian/patches/CVE-2014-1985.patch | 41 ++++++++++++++++++++++++++++++++++++++
 debian/patches/series              |  1 +
 2 files changed, 42 insertions(+)

diff --git a/debian/patches/CVE-2014-1985.patch b/debian/patches/CVE-2014-1985.patch
new file mode 100644
index 0000000..c75ccb2
--- /dev/null
+++ b/debian/patches/CVE-2014-1985.patch
@@ -0,0 +1,41 @@
+From 7567c3d8b21fe67e5f04e6839c1fce061600f2f3 Mon Sep 17 00:00:00 2001
+From: Jean-Philippe Lang <jp_lang at yahoo.fr>
+Date: Sat, 29 Mar 2014 14:32:47 +0000
+Subject: [PATCH] Fixed back url verification (#16466).
+
+git-svn-id: http://svn.redmine.org/redmine/trunk@13018 e93f8b46-1217-0410-a6f0-8f06a7374b81
+---
+ app/controllers/application_controller.rb  |  2 +-
+ test/functional/account_controller_test.rb | 10 ++++++++--
+ 2 files changed, 9 insertions(+), 3 deletions(-)
+
+--- redmine.orig/app/controllers/application_controller.rb
++++ redmine/app/controllers/application_controller.rb
+@@ -325,7 +325,7 @@ class ApplicationController < ActionCont
+       begin
+         uri = URI.parse(back_url)
+         # do not redirect user to another host or to the login or register page
+-        if (uri.relative? || (uri.host == request.host)) && !uri.path.match(%r{/(login|account/register)})
++        if ((uri.relative? && back_url.match(%r{\A/\w})) || (uri.host == request.host)) && !uri.path.match(%r{/(login|account/register)})
+           redirect_to(back_url)
+           return
+         end
+--- redmine.orig/test/functional/account_controller_test.rb
++++ redmine/test/functional/account_controller_test.rb
+@@ -38,8 +38,14 @@ class AccountControllerTest < ActionCont
+   end
+ 
+   def test_login_should_not_redirect_to_another_host
+-    post :login, :username => 'jsmith', :password => 'jsmith', :back_url => 'http%3A%2F%2Ftest.foo%2Ffake'
+-    assert_redirected_to '/my/page'
++    back_urls = [
++      'http://test.foo/fake',
++      '//test.foo/fake'
++    ]
++    back_urls.each do |back_url|
++      post :login, :username => 'jsmith', :password => 'jsmith', :back_url => back_url
++      assert_redirected_to '/my/page'
++    end
+   end
+ 
+   def test_login_with_wrong_password
diff --git a/debian/patches/series b/debian/patches/series
index ccd3bd7..3f8756d 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -7,3 +7,4 @@
 2017_Gemfile_debian.patch
 1001_Parsedate.parsedate.patch
 1002_REST_API_ruby1.9.3.patch
+CVE-2014-1985.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-ruby-extras/redmine.git