I agree, an exception is the correct behavior.
On Thu, Mar 6, 2014 at 2:10 PM, Timothy Goddard <t...@goddard.net.nz> wrote: > Very interesting, could cause issues. It can't use the value and not > substitute - that's worse. Have seen response splitting in mod_perl because > it outputs raw strings in to location headers. In my view it should raise > an exception if not a valid URI. > > > Sent from Samsung Mobile > > > > -------- Original message -------- > From: Brandon Perry <bperry.volat...@gmail.com> > Date: > To: full-disclosure@lists.grok.org.uk > Subject: [Full-disclosure] Rails and redirections > > > > Currently, passing \0, \r, or \n into a URL that is passed to redirect_to > has Rails gsub'ing them out of the URL before completing the redirect. > > A programmer that doesn't realise this is happening could easily write a > regex and logic that says "if url starts with https:// or http:// fail or > else redirect_to url". > > Seems straighforward, but an attacker could simply pass in a url like > \nhttp://www.google.com and bypass the regex check and be redirected to > google.com. > > The line effecting this is line 106 in redirecting.rb in Rails. > > > https://github.com/rails/rails/blob/3-2-stable/actionpack/lib/action_controller/metal/redirecting.rb#L106 > > I feel like this is something that Rails should not be doing on behalf of > the programmer. The programmer should be expected to pass in exactly what > they want redirected to without Rails changing their data. Should this be > considered a vulnerability? > > Thoughts? > > -- > http://volatile-minds.blogspot.com -- blog > http://www.volatileminds.net -- website > -- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/