From d687f6436a14c8b36f1a560ee95222bb2d4fb63f Mon Sep 17 00:00:00 2001 From: Sean McGivern Date: Wed, 5 Apr 2017 21:17:49 +0000 Subject: Merge branch 'open-redirect-fix-continue-to' into 'security' Fix for open redirect vuln involving continue[to] params See merge request !2083 --- app/controllers/concerns/continue_params.rb | 1 + 1 file changed, 1 insertion(+) (limited to 'app/controllers/concerns') diff --git a/app/controllers/concerns/continue_params.rb b/app/controllers/concerns/continue_params.rb index 0a995c45bdf..eb3a623acdd 100644 --- a/app/controllers/concerns/continue_params.rb +++ b/app/controllers/concerns/continue_params.rb @@ -7,6 +7,7 @@ module ContinueParams continue_params = continue_params.permit(:to, :notice, :notice_now) return unless continue_params[:to] && continue_params[:to].start_with?('/') + return if continue_params[:to].start_with?('//') continue_params end -- cgit v1.2.1 From b996a82ff44e3bcad5e5fb70cabbfa808d06cf62 Mon Sep 17 00:00:00 2001 From: Jacopo Date: Fri, 3 Mar 2017 11:35:04 +0100 Subject: ProjectsFinder should handle more options Extended ProjectFinder in order to handle the following options: - current_user - which user use - project_ids_relation: int[] - project ids to use - params: - trending: boolean - non_public: boolean - starred: boolean - sort: string - visibility_level: int - tags: string[] - personal: boolean - search: string - non_archived: boolean GroupProjectsFinder now inherits from ProjectsFinder. Changed the code in order to use the new available options. --- app/controllers/concerns/filter_projects.rb | 17 ----------------- .../concerns/params_backward_compatibility.rb | 7 +++++++ 2 files changed, 7 insertions(+), 17 deletions(-) delete mode 100644 app/controllers/concerns/filter_projects.rb create mode 100644 app/controllers/concerns/params_backward_compatibility.rb (limited to 'app/controllers/concerns') diff --git a/app/controllers/concerns/filter_projects.rb b/app/controllers/concerns/filter_projects.rb deleted file mode 100644 index 6014112256a..00000000000 --- a/app/controllers/concerns/filter_projects.rb +++ /dev/null @@ -1,17 +0,0 @@ -# == FilterProjects -# -# Controller concern to handle projects filtering -# * by name -# * by archived state -# -module FilterProjects - extend ActiveSupport::Concern - - def filter_projects(projects) - projects = projects.search(params[:name]) if params[:name].present? - projects = projects.non_archived if params[:archived].blank? - projects = projects.personal(current_user) if params[:personal].present? && current_user - - projects - end -end diff --git a/app/controllers/concerns/params_backward_compatibility.rb b/app/controllers/concerns/params_backward_compatibility.rb new file mode 100644 index 00000000000..b0e3d9c7b34 --- /dev/null +++ b/app/controllers/concerns/params_backward_compatibility.rb @@ -0,0 +1,7 @@ +module ParamsBackwardCompatibility + private + + def set_non_archived_param + params[:non_archived] = params[:archived].blank? + end +end -- cgit v1.2.1