From 988d7cd90df00a8eabbc3cc40e1f3467a0b2dec0 Mon Sep 17 00:00:00 2001 From: Tom Hughes Date: Mon, 17 Jan 2022 11:01:07 +0000 Subject: [PATCH] Remove form_action restrictions for sessions#login Login may redirect to ouath2_authorizations#create which may then redirect to arbitrary schemes if the application is already authorized so we need to allow login to redirect to any scheme. Fixes #3424 --- app/controllers/sessions_controller.rb | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb index bb3854e69..5b46d67d0 100644 --- a/app/controllers/sessions_controller.rb +++ b/app/controllers/sessions_controller.rb @@ -12,9 +12,7 @@ class SessionsController < ApplicationController authorize_resource :class => false def new - append_content_security_policy_directives( - :form_action => %w[*] - ) + override_content_security_policy_directives(:form_action => []) if Settings.csp_enforce || Settings.key?(:csp_report_url) session[:referer] = safe_referer(params[:referer]) if params[:referer] end -- 2.45.2