From 3095240a07b8476f95041aa4c71d1ffde0e2e5d1 Mon Sep 17 00:00:00 2001
From: JasonOA888 <jason@outland.art>
Date: Wed, 6 May 2026 02:43:35 +0800
Subject: [PATCH] Fix open redirect in template share link controller

params[:redir] was used directly without validation, allowing
redirects to external URLs. Now only allows relative paths.
---
 app/controllers/templates_share_link_controller.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/controllers/templates_share_link_controller.rb b/app/controllers/templates_share_link_controller.rb
index 5dfed111..10a6cbde 100644
--- a/app/controllers/templates_share_link_controller.rb
+++ b/app/controllers/templates_share_link_controller.rb
@@ -10,7 +10,7 @@ class TemplatesShareLinkController < ApplicationController
 
     @template.update!(template_params)
 
-    if params[:redir].present?
+    if params[:redir].present? && params[:redir].start_with?('/')
       redirect_to params[:redir]
     else
       head :ok