From b2ddba994ca5e78fa5dcbc0e00d6171a44b0b338 Mon Sep 17 00:00:00 2001
From: TheAMM <the.actual.amm@gmail.com>
Date: Sun, 16 Sep 2018 21:14:25 +0300
Subject: [PATCH] Fix open redirect (#519)

The funny thing is that we don't even use this anywhere, and the
referrer is useless on forms. But hey, maybe someday.
---
 nyaa/views/account.py | 22 +++++++++++++++-------
 1 file changed, 15 insertions(+), 7 deletions(-)

diff --git a/nyaa/views/account.py b/nyaa/views/account.py
index c9f84d5..9479252 100644
--- a/nyaa/views/account.py
+++ b/nyaa/views/account.py
@@ -211,14 +211,22 @@ def profile():
 
 
 def redirect_url():
-    home_url = flask.url_for('main.home')
+    next_url = flask.request.args.get('next', '')
+    referrer = flask.request.referrer or ''
 
-    url = flask.request.args.get('next') or \
-        flask.request.referrer or \
-        home_url
-    if url == flask.request.url:
-        return home_url
-    return url
+    target_url = (
+        # Use ?next= param if it's a local (/foo/bar) path
+        (next_url.startswith('/') and next_url) or
+        # Use referrer if it's on our own host
+        (referrer.startswith(flask.request.host_url) and referrer)
+    )
+
+    # Return the target, avoiding infinite loops
+    if target_url and target_url != flask.request.url:
+        return target_url
+
+    # Default to index
+    return flask.url_for('main.home')
 
 
 def send_verification_email(user):