hazza/jupyterhub
1
0
Fork 0
mirror of https://github.com/jupyterhub/jupyterhub.git synced 2025-10-13 04:53:01 +00:00
Code Issues Packages Projects Releases Wiki Activity

strict host matching by including /

Browse Source
This commit is contained in:
Min RK
2016-09-02 11:44:06 +02:00
parent c4bfa63fd6
commit 46bb7b05f4
1 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
jupyterhub/handlers/login.py
View File

@@ -40,10 +40,10 @@ class LoginHandler(BaseHandler):
def get(self): def get(self):
self.statsd.incr('login.request') self.statsd.incr('login.request')
next_url = self.get_argument('next', '') next_url = self.get_argument('next', '')
if next_url.startswith('%s://%s' % (self.request.protocol, self.request.host)): if (next_url + '/').startswith('%s://%s/' % (self.request.protocol, self.request.host)):
# treat absolute URLs for our host as absolute paths: # treat absolute URLs for our host as absolute paths:
next_url = urlparse(next_url).path next_url = urlparse(next_url).path
if not next_url.startswith('/'): elif not next_url.startswith('/'):
# disallow non-absolute next URLs (e.g. full URLs to other hosts) # disallow non-absolute next URLs (e.g. full URLs to other hosts)
next_url = '' next_url = ''
user = self.get_current_user() user = self.get_current_user()