hazza/jupyterhub
1
0
Fork 0
mirror of https://github.com/jupyterhub/jupyterhub.git synced 2025-10-08 10:34:10 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #267 from minrk/strict-next

Browse Source 
require next_url to be an absolute path
This commit is contained in:
Min RK
2015-07-07 12:33:19 -05:00
parent 02c8855d10 ea91bed620
commit a00abc7a76
1 changed files with 8 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
jupyterhub/handlers/login.py
View File

@@ -31,7 +31,10 @@ class LoginHandler(BaseHandler):
) )
def get(self): def get(self):
next_url = self.get_argument('next', False) next_url = self.get_argument('next', '')
if not next_url.startswith('/'):
# disallow non-absolute next URLs (e.g. full URLs)
next_url = ''
user = self.get_current_user() user = self.get_current_user()
if user: if user:
if not next_url: if not next_url:
@@ -65,7 +68,10 @@ class LoginHandler(BaseHandler):
if not already_running: if not already_running:
yield self.spawn_single_user(user) yield self.spawn_single_user(user)
self.set_login_cookie(user) self.set_login_cookie(user)
next_url = self.get_argument('next', default='') or self.hub.server.base_url next_url = self.get_argument('next', default='')
if not next_url.startswith('/'):
next_url = ''
next_url = next_url or self.hub.server.base_url
self.redirect(next_url) self.redirect(next_url)
self.log.info("User logged in: %s", username) self.log.info("User logged in: %s", username)
else: else: