From d45dc04a3ea8d2c36092c9342bae473406c9352d Mon Sep 17 00:00:00 2001
From: Sebastian Serth <Sebastian.Serth@student.hpi.de>
Date: Tue, 15 Jan 2019 17:36:32 +0100
Subject: [PATCH] Limit redirect to host

---
 app/controllers/application_controller.rb | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 99ce4289..fd6ceac4 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -20,7 +20,14 @@ class ApplicationController < ActionController::Base
 
   def render_not_authorized
     respond_to do |format|
-      format.html { redirect_to(request.referrer || :root, alert: t('application.not_authorized')) }
+      format.html do
+        if request.referrer.present? && request.referrer.include?(request.base_url)
+          destination = request.referrer
+        else
+          destination = :root
+        end
+        redirect_to(destination, alert: t('application.not_authorized'))
+      end
       format.json { render json: {error: t('application.not_authorized')}, status: :unauthorized }
     end
   end