From 0f768d144aa01d35b42c834604339c899b6eb575 Mon Sep 17 00:00:00 2001
From: Kevin Xiwei Zheng <blankplacement@gmail.com>
Date: Wed, 26 Jun 2013 12:11:06 -0400
Subject: [PATCH] Restrict post-login redirection targets to local URLs

---
 app/controllers/sessions_controller.rb | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb
index 53957e2fb..82b6a8efb 100644
--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@@ -7,7 +7,8 @@ class SessionsController < ApplicationController
     session_creator = SessionCreator.new(session, cookies, params[:name], params[:password], params[:remember])
 
     if session_creator.authenticate
-      redirect_to(params[:url] || session[:previous_uri] || posts_path, :notice => "You are now logged in.")
+      url = params[:url] if params[:url].start_with? '/'
+      redirect_to(url || session[:previous_uri] || posts_path, :notice => "You are now logged in.")
     else
       redirect_to(new_session_path, :notice => "Password was incorrect.")
     end