prevent open redirects with no protocol specified

prevent_open_redirect doesn't currently handle a 'next' with a // but no protocol, e.g.: .../user/login?_next=//google.com
2019-05-20 11:27:21 +01:00
parent f258cbecee
commit 99d3d1d465
1 changed files with 1 additions and 1 deletions
@@ -1754,7 +1754,7 @@ class Auth(AuthAPI):
        # _next variable in the request.
        if next:
            parts = next.split('/')
-            if ':' not in parts[0]:
+            if ':' not in parts[0] and parts[:2] != ['', '']:
                return next
            elif len(parts) > 2 and parts[0].endswith(':') and parts[1:3] == ['', host]:
                return next