diff --git a/runbot/controllers/frontend.py b/runbot/controllers/frontend.py index 9331329f..f8fa6567 100644 --- a/runbot/controllers/frontend.py +++ b/runbot/controllers/frontend.py @@ -83,6 +83,7 @@ class Runbot(Controller): '/runbot/submit' ], type='http', auth="public", methods=['GET', 'POST'], csrf=False) def submit(self, more=False, redirect='/', keep_search=False, category=False, filter_mode=False, update_triggers=False, **kwargs): + assert redirect.startswith('/runbot/') response = werkzeug.utils.redirect(redirect) response.set_cookie('more', '1' if more else '0') response.set_cookie('keep_search', '1' if keep_search else '0')