From 99d3d1d465c7d46eac9df3e47e017b3ee03fbb36 Mon Sep 17 00:00:00 2001
From: Tim Nyborg <tim.nyborg@gmail.com>
Date: Mon, 20 May 2019 11:27:21 +0100
Subject: [PATCH] prevent open redirects with no protocol specified

prevent_open_redirect doesn't currently handle a 'next' with a // but no protocol, e.g.: .../user/login?_next=//google.com
---
 gluon/tools.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/gluon/tools.py b/gluon/tools.py
index 50dc103d..aefebbc5 100644
--- a/gluon/tools.py
+++ b/gluon/tools.py
@@ -1754,7 +1754,7 @@ class Auth(AuthAPI):
         # _next variable in the request.
         if next:
             parts = next.split('/')
-            if ':' not in parts[0]:
+            if ':' not in parts[0] and parts[:2] != ['', '']:
                 return next
             elif len(parts) > 2 and parts[0].endswith(':') and parts[1:3] == ['', host]:
                 return next