Skip to content
Permalink
Browse files Browse the repository at this point in the history
protect against chrome mishandling backslash as slash in URLs
  • Loading branch information
minrk committed Mar 27, 2019
1 parent d65328d commit 08c4c89
Showing 1 changed file with 4 additions and 0 deletions.
4 changes: 4 additions & 0 deletions notebook/auth/login.py
Expand Up @@ -39,6 +39,10 @@ def _redirect_safe(self, url, default=None):
"""
if default is None:
default = self.base_url
# protect chrome users from mishandling unescaped backslashes.
# \ is not valid in urls, but some browsers treat it as /
# instead of %5C, causing `\\` to behave as `//`
url = url.replace("\\", "%5C")
parsed = urlparse(url)
if parsed.netloc or not (parsed.path + '/').startswith(self.base_url):
# require that next_url be absolute path within our path
Expand Down

0 comments on commit 08c4c89

Please sign in to comment.