Allow external redirect for render host and LTI
We only use the `launch_presentation_return_url` provided to the @provider, in order to prevent using an open redirect.
This commit is contained in:
@ -110,7 +110,7 @@ class ApplicationController < ActionController::Base
|
||||
redirect_to :root, alert: message
|
||||
# Redirect to main domain if the request originated from our render_host
|
||||
elsif request.path == '/' && request.host == RENDER_HOST
|
||||
redirect_to Rails.application.config.action_mailer.default_url_options
|
||||
redirect_to Rails.application.config.action_mailer.default_url_options, allow_other_host: true
|
||||
else
|
||||
redirect_back fallback_location: :root, allow_other_host: false, alert: message
|
||||
end
|
||||
|
@ -124,10 +124,10 @@ module Lti
|
||||
private :require_valid_oauth_signature
|
||||
|
||||
def return_to_consumer(options = {})
|
||||
consumer_return_url = @provider.try(:launch_presentation_return_url) || params[:launch_presentation_return_url]
|
||||
consumer_return_url = @provider.try(:launch_presentation_return_url)
|
||||
if consumer_return_url
|
||||
consumer_return_url += "?#{options.to_query}" if options.present?
|
||||
redirect_to(consumer_return_url)
|
||||
redirect_to(consumer_return_url, allow_other_host: true)
|
||||
else
|
||||
flash[:danger] = options[:lti_errormsg]
|
||||
flash[:info] = options[:lti_msg]
|
||||
|
Reference in New Issue
Block a user