From bf2528dbd05bd34d6a2817c3d0785ac6b2ce087e Mon Sep 17 00:00:00 2001
From: Xavier-Do <xdo@odoo.com>
Date: Tue, 5 Dec 2023 09:59:58 +0100
Subject: [PATCH] [FIX] runbot: avoid non local redirect

The goal of this feature is to redirect to the build
---
 runbot/controllers/frontend.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/runbot/controllers/frontend.py b/runbot/controllers/frontend.py
index 9331329f..f8fa6567 100644
--- a/runbot/controllers/frontend.py
+++ b/runbot/controllers/frontend.py
@@ -83,6 +83,7 @@ class Runbot(Controller):
         '/runbot/submit'
     ], type='http', auth="public", methods=['GET', 'POST'], csrf=False)
     def submit(self, more=False, redirect='/', keep_search=False, category=False, filter_mode=False, update_triggers=False, **kwargs):
+        assert redirect.startswith('/runbot/')
         response = werkzeug.utils.redirect(redirect)
         response.set_cookie('more', '1' if more else '0')
         response.set_cookie('keep_search', '1' if keep_search else '0')