From 9065683216b87b92276d664a76d13bec45a8ea66 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Javi=20Mart=C3=ADn?= Date: Sun, 10 Nov 2019 16:14:36 +0100 Subject: [PATCH] Redirect to referer after destroying an image The same way we do for documents. This way we avoid a possible unprotected redirect. --- app/controllers/images_controller.rb | 2 +- .../investments/_investment_show.html.erb | 2 +- spec/controllers/images_controller_spec.rb | 17 +++++++++++++++++ 3 files changed, 19 insertions(+), 2 deletions(-) create mode 100644 spec/controllers/images_controller_spec.rb diff --git a/app/controllers/images_controller.rb b/app/controllers/images_controller.rb index 665c7ce64..2e1093f0b 100644 --- a/app/controllers/images_controller.rb +++ b/app/controllers/images_controller.rb @@ -11,7 +11,7 @@ class ImagesController < ApplicationController else flash[:alert] = t "images.actions.destroy.alert" end - redirect_to params[:from] + redirect_to request.referer end format.js do if @image.destroy diff --git a/app/views/budgets/investments/_investment_show.html.erb b/app/views/budgets/investments/_investment_show.html.erb index 98d18e655..e112342b7 100644 --- a/app/views/budgets/investments/_investment_show.html.erb +++ b/app/views/budgets/investments/_investment_show.html.erb @@ -26,7 +26,7 @@

<%= t("budgets.investments.show.author") %>

- <%= link_to image_path(investment.image, from: request.url), + <%= link_to image_path(investment.image), method: :delete, class: "button hollow alert expanded" do %> diff --git a/spec/controllers/images_controller_spec.rb b/spec/controllers/images_controller_spec.rb new file mode 100644 index 000000000..5b83ac1c8 --- /dev/null +++ b/spec/controllers/images_controller_spec.rb @@ -0,0 +1,17 @@ +require "rails_helper" + +describe ImagesController do + let(:user) { create(:user) } + before { sign_in user } + + describe "DELETE destroy" do + it "redirects to the referer URL" do + image = create(:image, imageable: create(:proposal, author: user)) + request.env["HTTP_REFERER"] = "/proposals" + + delete :destroy, params: { id: image, from: "http://evil.dev" } + + expect(response).to redirect_to "/proposals" + end + end +end