@ -427,12 +427,15 @@ class ApplicationController < ActionController::Base
if ! back_url . blank?
if ! back_url . blank?
begin
begin
uri = URI . parse ( back_url )
uri = URI . parse ( back_url )
# do not redirect user to another host or to the login or register page
# do not allow protocol relative URIs
# do not redirect user to another host (even protocol relative urls have the host set)
if ( ( uri . relative? && back_url . match ( %r{ \ A/ \ w } ) ) \
# whenever a host is set it must match the request's host
|| ( uri . host == request . host ) \
uri_local_to_host = uri . host . nil? || uri . host == request . host
|| ( uri . to_s == home_path ) \
&& ! uri . path . match ( %r{ /(login|account/register) } ) )
# do not redirect user to the login or register page
uri_path_allowed = ! uri . path . match ( %r{ /(login|account/register) } )
if uri_local_to_host && uri_path_allowed
redirect_to ( back_url )
redirect_to ( back_url )
return
return
end
end