hazza/jupyterhub
1
0
Fork 0
mirror of https://github.com/jupyterhub/jupyterhub.git synced 2025-10-08 02:24:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #267 from minrk/strict-next

Browse Source 
require next_url to be an absolute path
This commit is contained in:
Min RK
2015-07-07 12:33:19 -05:00
parent 02c8855d10 ea91bed620
commit a00abc7a76
1 changed files with 8 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
jupyterhub/handlers/login.py
View File

@@ -31,7 +31,10 @@ class LoginHandler(BaseHandler):
)
def get(self):
next_url = self.get_argument('next', False)
next_url = self.get_argument('next', '')
if not next_url.startswith('/'):
# disallow non-absolute next URLs (e.g. full URLs)
next_url = ''
user = self.get_current_user()
if user:
if not next_url:
@@ -65,7 +68,10 @@ class LoginHandler(BaseHandler):
if not already_running:
yield self.spawn_single_user(user)
self.set_login_cookie(user)
next_url = self.get_argument('next', default='') or self.hub.server.base_url
next_url = self.get_argument('next', default='')
if not next_url.startswith('/'):
next_url = ''
next_url = next_url or self.hub.server.base_url
self.redirect(next_url)
self.log.info("User logged in: %s", username)
else: