if request.cookies["_osm_session"].to_s == ""
if params[:cookie_test].nil?
session[:cookie_test] = true
- redirect_to params.to_unsafe_h.merge(:cookie_test => "true")
+ redirect_to params.to_unsafe_h.merge(:only_path => true, :cookie_test => "true")
false
else
flash.now[:warning] = t "application.require_cookies.cookies_needed"
# override to stop oauth plugin sending errors
def invalid_oauth_response; end
+
+ # clean any referer parameter
+ def safe_referer(referer)
+ referer = URI.parse(referer)
+
+ if referer.scheme == "http" || referer.scheme == "https"
+ referer.scheme = nil
+ referer.host = nil
+ referer.port = nil
+ elsif referer.scheme || referer.host || referer.port
+ referer = nil
+ end
+
+ referer.to_s
+ end
end
end
if params[:referer]
- redirect_to params[:referer]
+ redirect_to safe_referer(params[:referer])
else
redirect_to user_path
end
end
if params[:referer]
- redirect_to params[:referer]
+ redirect_to safe_referer(params[:referer])
else
redirect_to user_path
end
flash[:notice] = t ".destroyed"
if params[:referer]
- redirect_to params[:referer]
+ redirect_to safe_referer(params[:referer])
else
redirect_to :action => :inbox
end
def permalink
lon, lat, zoom = ShortLink.decode(params[:code])
- new_params = params.except(:code, :lon, :lat, :zoom, :layers, :node, :way, :relation, :changeset)
+ new_params = params.except(:host, :controller, :action, :code, :lon, :lat, :zoom, :layers, :node, :way, :relation, :changeset)
if new_params.key? :m
new_params.delete :m
new_params[:mlon] = lon
end
- if params.key? :node
- new_params[:controller] = "browse"
- new_params[:action] = "node"
- new_params[:id] = params[:node]
- elsif params.key? :way
- new_params[:controller] = "browse"
- new_params[:action] = "way"
- new_params[:id] = params[:way]
- elsif params.key? :relation
- new_params[:controller] = "browse"
- new_params[:action] = "relation"
- new_params[:id] = params[:relation]
- elsif params.key? :changeset
- new_params[:controller] = "browse"
- new_params[:action] = "changeset"
- new_params[:id] = params[:changeset]
- else
- new_params[:controller] = "site"
- new_params[:action] = "index"
- end
-
new_params[:anchor] = "map=#{zoom}/#{lat}/#{lon}"
new_params[:anchor] += "&layers=#{params[:layers]}" if params.key? :layers
- redirect_to new_params.to_unsafe_h
+ options = new_params.to_unsafe_h.to_options
+
+ path = if params.key? :node
+ node_path(params[:node], options)
+ elsif params.key? :way
+ way_path(params[:way], options)
+ elsif params.key? :relation
+ relation_path(params[:relation], options)
+ elsif params.key? :changeset
+ changeset_path(params[:changeset], options)
+ else
+ root_url(options)
+ end
+
+ redirect_to path
end
def key
anchor << "layers=N"
end
- redirect_to params.to_unsafe_h.merge(:anchor => anchor.join("&")) if anchor.present?
+ redirect_to params.to_unsafe_h.merge(:only_path => true, :anchor => anchor.join("&")) if anchor.present?
end
end
flash[:notice] = t("users.new.terms declined", :url => t("users.new.terms declined url")).html_safe if current_user.save
if params[:referer]
- redirect_to params[:referer]
+ redirect_to safe_referer(params[:referer])
else
redirect_to :action => :account, :display_name => current_user.display_name
end
end
if params[:referer]
- redirect_to params[:referer]
+ redirect_to safe_referer(params[:referer])
else
redirect_to :action => :account, :display_name => current_user.display_name
end
def new
@title = t "users.new.title"
- @referer = params[:referer] || session[:referer]
+ @referer = if params[:referer]
+ safe_referer(params[:referer])
+ else
+ session[:referer]
+ end
append_content_security_policy_directives(
:form_action => %w[accounts.google.com *.facebook.com login.live.com github.com meta.wikimedia.org]
self.current_user = User.new(user_params)
if check_signup_allowed(current_user.email)
- session[:referer] = params[:referer]
+ session[:referer] = safe_referer(params[:referer]) if params[:referer]
+
+ Rails.logger.info "create: #{session[:referer]}"
current_user.status = "pending"
end
def login
- session[:referer] = params[:referer] if params[:referer]
+ session[:referer] = safe_referer(params[:referer]) if params[:referer]
if params[:username].present? && params[:password].present?
session[:remember_me] ||= params[:remember_me]
session.delete(:user)
session_expires_automatically
if params[:referer]
- redirect_to params[:referer]
+ redirect_to safe_referer(params[:referer])
else
redirect_to :controller => "site", :action => "index"
end
user.email_valid = true
flash[:notice] = gravatar_status_message(user) if gravatar_enable(user)
user.save!
- referer = token.referer
+ referer = safe_referer(token.referer) if token.referer
token.destroy
if session[:token]