From 46bb7b05f4b64f3d94585dc9d286eca93a95fbf8 Mon Sep 17 00:00:00 2001
From: Min RK <benjaminrk@gmail.com>
Date: Fri, 2 Sep 2016 11:44:06 +0200
Subject: [PATCH] strict host matching by including `/`

---
 jupyterhub/handlers/login.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/jupyterhub/handlers/login.py b/jupyterhub/handlers/login.py
index f4f2e89f..67144b83 100644
--- a/jupyterhub/handlers/login.py
+++ b/jupyterhub/handlers/login.py
@@ -40,10 +40,10 @@ class LoginHandler(BaseHandler):
     def get(self):
         self.statsd.incr('login.request')
         next_url = self.get_argument('next', '')
-        if next_url.startswith('%s://%s' % (self.request.protocol, self.request.host)):
+        if (next_url + '/').startswith('%s://%s/' % (self.request.protocol, self.request.host)):
             # treat absolute URLs for our host as absolute paths:
             next_url = urlparse(next_url).path
-        if not next_url.startswith('/'):
+        elif not next_url.startswith('/'):
             # disallow non-absolute next URLs (e.g. full URLs to other hosts)
             next_url = ''
         user = self.get_current_user()