Allow external redirect for render host and LTI

We only use the `launch_presentation_return_url` provided to the @provider, in order to prevent using an open redirect.
2022-12-05 22:13:59 +01:00
parent b7a3fd4586
commit 9977e1614b
3 changed files with 7 additions and 6 deletions
--- a/app/controllers/concerns/lti.rb
+++ b/app/controllers/concerns/lti.rb
@@ -124,10 +124,10 @@ module Lti
  private :require_valid_oauth_signature

  def return_to_consumer(options = {})
-    consumer_return_url = @provider.try(:launch_presentation_return_url) || params[:launch_presentation_return_url]
+    consumer_return_url = @provider.try(:launch_presentation_return_url)
    if consumer_return_url
      consumer_return_url += "?#{options.to_query}" if options.present?
-      redirect_to(consumer_return_url)
+      redirect_to(consumer_return_url, allow_other_host: true)
    else
      flash[:danger] = options[:lti_errormsg]
      flash[:info] = options[:lti_msg]