From e295b177280c124b4ae401bd41749f7863ae1706 Mon Sep 17 00:00:00 2001
From: JasonOA888 <jason@outland.art>
Date: Wed, 6 May 2026 02:37:44 +0800
Subject: [PATCH] Fix open redirect in templates share link controller

The redir parameter was passed directly to redirect_to without any
validation, allowing redirects to arbitrary external URLs.

Only allow relative paths (starting with /) to prevent abuse.
---
 app/controllers/templates_share_link_controller.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/controllers/templates_share_link_controller.rb b/app/controllers/templates_share_link_controller.rb
index 5dfed111..10a6cbde 100644
--- a/app/controllers/templates_share_link_controller.rb
+++ b/app/controllers/templates_share_link_controller.rb
@@ -10,7 +10,7 @@ class TemplatesShareLinkController < ApplicationController
 
     @template.update!(template_params)
 
-    if params[:redir].present?
+    if params[:redir].present? && params[:redir].start_with?('/')
       redirect_to params[:redir]
     else
       head :ok