From 67e304f3724e25254822a8c661a67b70f3ab6a6a Mon Sep 17 00:00:00 2001
From: Kirill <kirill89@gmail.com>
Date: Wed, 16 Feb 2022 18:26:51 +0200
Subject: [PATCH] Fix open redirect vulnerability on the login page (#2262)

---
 controllers/route.go | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/controllers/route.go b/controllers/route.go
index 2fdcf2e9..72285518 100644
--- a/controllers/route.go
+++ b/controllers/route.go
@@ -7,6 +7,7 @@ import (
 	"html/template"
 	"net/http"
 	"net/url"
+	"strings"
 	"time"
 
 	"github.com/NYTimes/gziphandler"
@@ -296,9 +297,9 @@ func (as *AdminServer) nextOrIndex(w http.ResponseWriter, r *http.Request) {
 	next := "/"
 	url, err := url.Parse(r.FormValue("next"))
 	if err == nil {
-		path := url.Path
+		path := url.EscapedPath()
 		if path != "" {
-			next = path
+			next = "/" + strings.TrimLeft(path, "/")
 		}
 	}
 	http.Redirect(w, r, next, http.StatusFound)