From 407b61857ea19172b403347469381d814f7e1cb2 Mon Sep 17 00:00:00 2001
From: Tom Hughes <tom@compton.nu>
Date: Tue, 23 Nov 2021 17:12:19 +0000
Subject: [PATCH] Improve fallback behaviour for unsafe referer redirects

---
 app/controllers/application_controller.rb |  2 +-
 app/controllers/friendships_controller.rb | 16 ++++++----------
 app/controllers/messages_controller.rb    |  6 ++++--
 app/controllers/sessions_controller.rb    |  8 ++++++--
 app/controllers/users_controller.rb       | 16 ++++++----------
 5 files changed, 23 insertions(+), 25 deletions(-)

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index d0898bf5e..07b23ce21 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -397,7 +397,7 @@ class ApplicationController < ActionController::Base
       referer = nil
     end
 
-    referer.to_s
+    referer&.to_s
   end
 
   def scope_enabled?(scope)
diff --git a/app/controllers/friendships_controller.rb b/app/controllers/friendships_controller.rb
index 5cdb2a4e4..93dffb4a3 100644
--- a/app/controllers/friendships_controller.rb
+++ b/app/controllers/friendships_controller.rb
@@ -28,11 +28,9 @@ class FriendshipsController < ApplicationController
           friendship.add_error(t("friendships.make_friend.failed", :name => @new_friend.display_name))
         end
 
-        if params[:referer]
-          redirect_to safe_referer(params[:referer])
-        else
-          redirect_to user_path
-        end
+        referer = safe_referer(params[:referer]) if params[:referer]
+
+        redirect_to referer || user_path
       end
     else
       render_unknown_user params[:display_name]
@@ -51,11 +49,9 @@ class FriendshipsController < ApplicationController
           flash[:error] = t "friendships.remove_friend.not_a_friend", :name => @friend.display_name
         end
 
-        if params[:referer]
-          redirect_to safe_referer(params[:referer])
-        else
-          redirect_to user_path
-        end
+        referer = safe_referer(params[:referer]) if params[:referer]
+
+        redirect_to referer || user_path
       end
     else
       render_unknown_user params[:display_name]
diff --git a/app/controllers/messages_controller.rb b/app/controllers/messages_controller.rb
index dacd00261..a95e2e587 100644
--- a/app/controllers/messages_controller.rb
+++ b/app/controllers/messages_controller.rb
@@ -119,8 +119,10 @@ class MessagesController < ApplicationController
     if @message.save && !request.xhr?
       flash[:notice] = t ".destroyed"
 
-      if params[:referer]
-        redirect_to safe_referer(params[:referer])
+      referer = safe_referer(params[:referer]) if params[:referer]
+
+      if referer
+        redirect_to referer
       else
         redirect_to :action => :inbox
       end
diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb
index 7e6a740f3..bb3854e69 100644
--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@@ -34,10 +34,14 @@ class SessionsController < ApplicationController
         token&.destroy
         session.delete(:token)
       end
+
       session.delete(:user)
       session_expires_automatically
-      if params[:referer]
-        redirect_to safe_referer(params[:referer])
+
+      referer = safe_referer(params[:referer]) if params[:referer]
+
+      if referer
+        redirect_to referer
       else
         redirect_to :controller => "site", :action => "index"
       end
diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index 8b04167b0..b90fbea11 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -44,11 +44,9 @@ class UsersController < ApplicationController
 
         flash[:notice] = { :partial => "users/terms_declined_flash" } if current_user.save
 
-        if params[:referer]
-          redirect_to safe_referer(params[:referer])
-        else
-          redirect_to user_account_path(current_user)
-        end
+        referer = safe_referer(params[:referer]) if params[:referer]
+
+        redirect_to referer || user_account_path(current_user)
       elsif params[:decline]
         redirect_to t("users.terms.declined")
       else
@@ -64,11 +62,9 @@ class UsersController < ApplicationController
         flash[:notice] = t "users.new.terms accepted" if current_user.save
       end
 
-      if params[:referer]
-        redirect_to safe_referer(params[:referer])
-      else
-        redirect_to user_account_path(current_user)
-      end
+      referer = safe_referer(params[:referer]) if params[:referer]
+
+      redirect_to referer || user_account_path(current_user)
     else
       self.current_user = session.delete(:new_user)
 
-- 
2.45.1