From 659862a6285906b0f6fc77e83007a09910d403f7 Mon Sep 17 00:00:00 2001
From: Ajurna <ajurna@gmail.com>
Date: Tue, 4 May 2021 18:21:12 +0100
Subject: [PATCH] URL redirection from remote source (#29)

---
 comic_auth/views.py | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/comic_auth/views.py b/comic_auth/views.py
index 903b3f4..34218bb 100644
--- a/comic_auth/views.py
+++ b/comic_auth/views.py
@@ -1,6 +1,7 @@
 from django.contrib.auth import authenticate, login, logout
 from django.contrib.auth.models import User
 from django.shortcuts import redirect, render
+from django.utils.http import url_has_allowed_host_and_scheme
 
 from comic_auth.forms import LoginForm
 
@@ -14,7 +15,10 @@ def comic_login(request):
                 if user.is_active:
                     login(request, user)
                     if "next" in request.GET:
-                        return redirect(request.GET["next"])
+                        if url_has_allowed_host_and_scheme(request.GET["next"], allowed_hosts=None):
+                            return redirect(request.GET["next"])
+                        else:
+                            return redirect("/comic/")
                     else:
                         return redirect("/comic/")
                 else: