From f87c3e260cb1fd7ac56775886f66c402acfc3343 Mon Sep 17 00:00:00 2001
From: Alex Artigues <alex@ionicsecurity.com>
Date: Wed, 29 Jun 2016 20:54:13 -0400
Subject: [PATCH] Fix next redirect if only one / exists

---
 gluon/tools.py | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/gluon/tools.py b/gluon/tools.py
index 7bfa4b7f..23fba4b4 100644
--- a/gluon/tools.py
+++ b/gluon/tools.py
@@ -1918,11 +1918,13 @@ class Auth(object):
         if isinstance(next, (list, tuple)):
             next = next[0]
         if next and self.settings.prevent_open_redirect_attacks:
-            # Prevent an attacker from adding an arbitrary url after the
-            # _next variable in the request.
-            items = next.split('/')
-            if '//' in next and items[2] != current.request.env.http_host:
-                next = None
+            # Prevent an attacker from adding an arbitrary url after the _next variable in the request.
+            # Browsers will fix a single / so check multiple things just in case
+            items = filter(None, next.split('/'))
+            has_url = any(x in next for x in ['//', ':', 'ftp', 'http', 'rss', 'xml'])
+            if has_url and len(items) > 1:
+                if items[1] != current.request.env.http_host:
+                    next = None
         return next
 
     def _get_user_id(self):