From bf2528dbd05bd34d6a2817c3d0785ac6b2ce087e Mon Sep 17 00:00:00 2001 From: Xavier-Do Date: Tue, 5 Dec 2023 09:59:58 +0100 Subject: [PATCH] [FIX] runbot: avoid non local redirect The goal of this feature is to redirect to the build --- runbot/controllers/frontend.py | 1 + 1 file changed, 1 insertion(+) diff --git a/runbot/controllers/frontend.py b/runbot/controllers/frontend.py index 9331329f..f8fa6567 100644 --- a/runbot/controllers/frontend.py +++ b/runbot/controllers/frontend.py @@ -83,6 +83,7 @@ class Runbot(Controller): '/runbot/submit' ], type='http', auth="public", methods=['GET', 'POST'], csrf=False) def submit(self, more=False, redirect='/', keep_search=False, category=False, filter_mode=False, update_triggers=False, **kwargs): + assert redirect.startswith('/runbot/') response = werkzeug.utils.redirect(redirect) response.set_cookie('more', '1' if more else '0') response.set_cookie('keep_search', '1' if keep_search else '0')