Providing redirects based on the return_to parameter in Rails 3

Question

Providing redirects based on the return_to parameter in Rails 3

I have some actions redirecting back or to another place on my site, which I pass with the parameter from the original page.

In my application_controller.rb , I have this method, which I use in other controllers to receive and process param return_to

 def redirect_to_return_to_or_default(default) if params[:return_to].present? redirect_to params[:return_to] return end redirect_to default

end

Reading Security Guide I can see that this can be used in phishing attacks, so I would like to protect it, perhaps by filtering return_to redirect only to URLs in my domain.

Am I missing something? Any ideas on how to do this in a simple and elegant way?

+4

redirect security ruby-on-rails-3

dgilperez Jan 7 '12 at 22:21

source share

1 answer

Cyrus · Answer 1 · 2013-08-09T06:12:29+0000

I added the following as a private method to my ApplicationController

  def redirect_to_param(token) unless token.blank? parsed_token = URI.parse(token) res = "" res << parsed_token.path unless parsed_token.query.blank? res << "?" res << parsed_token.query end return res end end

And then, wherever I want to redirect to the parameter provided by the user, I say something like

 redirect_to redirect_to_param(params[:redirect])

Will love the feedback on how others do it.

Providing redirects based on the return_to parameter in Rails 3

More articles: