From a7ecf445db63f179bae25b671a29013d511460af Mon Sep 17 00:00:00 2001 From: Lance Edgar Date: Thu, 5 Mar 2015 16:55:09 -0600 Subject: [PATCH] Fix login redirect if referrer is not internal to site. --- tailbone/subscribers.py | 8 +++----- tailbone/views/auth.py | 6 +----- 2 files changed, 4 insertions(+), 10 deletions(-) diff --git a/tailbone/subscribers.py b/tailbone/subscribers.py index fb7c5d36..23e31f3b 100644 --- a/tailbone/subscribers.py +++ b/tailbone/subscribers.py @@ -117,11 +117,9 @@ def context_found(event): if request.session.get('referrer'): return request.session.pop('referrer') referrer = request.referrer - if not referrer or referrer == request.current_route_url(): - if default: - referrer = default - else: - referrer = request.route_url('home') + if (not referrer or referrer == request.current_route_url() + or not referrer.startswith(request.host_url)): + referrer = default or request.route_url('home') return referrer request.get_referrer = get_referrer diff --git a/tailbone/views/auth.py b/tailbone/views/auth.py index aec51e01..cc03122f 100644 --- a/tailbone/views/auth.py +++ b/tailbone/views/auth.py @@ -56,11 +56,7 @@ def forbidden(request): # Store current URL in session, for smarter redirect after login. request.session['next_url'] = request.current_route_url() request.session.flash(msg, allow_duplicate=False) - - url = request.referer - if not url or url == request.current_route_url(): - url = request.route_url('home') - return HTTPFound(location=url) + return HTTPFound(location=request.get_referrer()) class UserLogin(formencode.Schema):