From c62c6f68a5e5e00a13ded984a4a3a79b41f9ce4b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mislav=20Marohni=C4=87?= <mislav.marohnic@gmail.com>
Date: Wed, 18 Sep 2013 16:52:28 -0400
Subject: [PATCH] prevent tampering with host, port, protocol

Prevents :host, :port, :protocol settings get inherited from GET query
parameters.

Fixes #285
---
 lib/will_paginate/view_helpers/action_view.rb |  1 +
 spec/view_helpers/action_view_spec.rb         | 17 +++++++++++++----
 2 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/lib/will_paginate/view_helpers/action_view.rb b/lib/will_paginate/view_helpers/action_view.rb
index 6fa29295c..0fba71e96 100644
--- a/lib/will_paginate/view_helpers/action_view.rb
+++ b/lib/will_paginate/view_helpers/action_view.rb
@@ -106,6 +106,7 @@ def default_url_params
       def url(page)
         @base_url_params ||= begin
           url_params = merge_get_params(default_url_params)
+          url_params[:only_path] = true
           merge_optional_params(url_params)
         end
 
diff --git a/spec/view_helpers/action_view_spec.rb b/spec/view_helpers/action_view_spec.rb
index bda96551c..c7797db23 100644
--- a/spec/view_helpers/action_view_spec.rb
+++ b/spec/view_helpers/action_view_spec.rb
@@ -189,6 +189,15 @@ def renderer.gap() '<span class="my-gap">~~</span>' end
     paginate
     assert_links_match /foo\[bar\]=baz/
   end
+
+  it "doesn't allow tampering with host, port, protocol" do
+    request.params :host => 'disney.com', :port => '99', :protocol => 'ftp'
+    paginate
+    assert_links_match %r{^/foo/bar}
+    assert_no_links_match /disney/
+    assert_no_links_match /99/
+    assert_no_links_match /ftp/
+  end
   
   it "should not preserve parameters on POST" do
     request.post
@@ -328,16 +337,16 @@ class << helper
       include Routes.url_helpers
       include WillPaginate::ActionView
     end
-    helper.default_url_options[:host] = 'example.com'
-    helper.default_url_options[:controller] = 'dummy'
-    # helper.default_url_options[:only_path] = true
+    helper.default_url_options.update \
+      :only_path => true,
+      :controller => 'dummy'
 
     collection = WillPaginate::Collection.new(2, 1, 3)
     @render_output = helper.will_paginate(collection)
 
     assert_select 'a[href]', 4 do |links|
       urls = links.map {|l| l['href'] }.uniq
-      urls.should == ['http://example.com/dummy/page/1', 'http://example.com/dummy/page/3']
+      urls.should == ['/dummy/page/1', '/dummy/page/3']
     end
   end