Fix open redirection

s-gv · Mar 3, 2018 · 1f6313c · 1f6313c
1 parent 3f73f96
commit 1f6313c
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/views/auth.go b/views/auth.go
@@ -20,7 +20,7 @@ import (
 
 var LoginHandler = UA(func(w http.ResponseWriter, r *http.Request, sess Session) {
 	redirectURL, err := url.QueryUnescape(r.FormValue("next"))
-	if redirectURL == "" || err != nil {
+	if err != nil || redirectURL == "" || redirectURL[0] != '/' {
 		redirectURL = "/"
 	}
 	if sess.IsUserValid() {
@@ -59,7 +59,7 @@ func LogoutHandler(w http.ResponseWriter, r *http.Request) {
 
 var SignupHandler = UA(func(w http.ResponseWriter, r *http.Request, sess Session) {
 	redirectURL, err := url.QueryUnescape(r.FormValue("next"))
-	if redirectURL == "" || err != nil {
+	if err != nil || redirectURL == "" || redirectURL[0] != '/' {
 		redirectURL = "/"
 	}
 	if sess.IsUserValid() && !sess.IsUserSuperAdmin() {