Restrict post-login redirection targets to local URLs

app/controllers/sessions_controller.rb

@@ -7,7 +7,8 @@ class SessionsController < ApplicationController
     session_creator = SessionCreator.new(session, cookies, params[:name], params[:password], params[:remember])
 
     if session_creator.authenticate
-      redirect_to(params[:url] || session[:previous_uri] || posts_path, :notice => "You are now logged in.")
+      url = params[:url] if params[:url].start_with? '/'
+      redirect_to(url || session[:previous_uri] || posts_path, :notice => "You are now logged in.")
     else
       redirect_to(new_session_path, :notice => "Password was incorrect.")
     end