[#1419] Check that redirection target is local

ckan · Jun 26, 2014 · c884448 · c884448
1 parent 46b14f4
commit c884448
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/ckan/controllers/util.py b/ckan/controllers/util.py
@@ -2,6 +2,7 @@
 
 import ckan.lib.base as base
 import ckan.lib.i18n as i18n
+import ckan.lib.helpers as h
 
 
 class UtilController(base.BaseController):
@@ -10,7 +11,11 @@ class UtilController(base.BaseController):
     def redirect(self):
         ''' redirect to the url parameter. '''
         url = base.request.params.get('url')
-        return base.redirect(url)
+
+        if h.url_is_local(url):
+            return base.redirect(url)
+        else:
+            return h.redirect_to(controller='home', action='index')
 
     def primer(self):
         ''' Render all html components out onto a single page.