From 87af0551e64017ae3fcc6ce27b4a208ff8d8b7fe Mon Sep 17 00:00:00 2001
From: Pierre-Yves Chibon <pingou@pingoured.fr>
Date: May 23 2017 10:44:45 +0000
Subject: Rely on the exising is_safe_url to determine if an url is safe to redirect to


Signed-off-by: Pierre-Yves Chibon <pingou@pingoured.fr>

---

diff --git a/pagure/ui/app.py b/pagure/ui/app.py
index a348982..5275fa1 100644
--- a/pagure/ui/app.py
+++ b/pagure/ui/app.py
@@ -21,7 +21,7 @@ import pagure.lib
 import pagure.lib.git
 import pagure.forms
 import pagure.ui.filters
-from pagure import (APP, SESSION, login_required,
+from pagure import (APP, SESSION, login_required, is_safe_url,
                     authenticated, admin_session_timedout)
 
 
@@ -496,8 +496,8 @@ def wait_task(taskid):
             flask.flash('Your task failed: %s' % str(result))
             status.forget()
             prev = flask.request.args.get('prev')
-            if not prev or not prev.startswith('/'):
-                prev = '/'
+            if not is_safe_url(prev):
+                prev = flask.url_for('index')
             return flask.redirect(prev)
         endpoint = result.pop('endpoint')
         status.forget()