allow relative return_path only, check validity

2016-05-07 03:52:14 +02:00
parent f110d2e0ad
commit 1f51e9d823
2 changed files with 12 additions and 3 deletions
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -72,7 +72,7 @@ class UsersController < ApplicationController
      end
    else
      flash[:alert] = "Please login first"
-      cookies[:return_path] = request.fullpath
+      cookies[:return_path] = request.env['PATH_INFO']
      redirect_to login_path
    end
  end