From a09cacc85376cc7801a1bfad0a47fc0e22ed5253 Mon Sep 17 00:00:00 2001
From: Tomas Kopecek <tkopecek@redhat.com>
Date: Oct 29 2020 08:28:38 +0000
Subject: PR#2504: Only redirect back to HTTP_REFERER if it points to kojiweb


Merges #2504
https://pagure.io/koji/pull-request/2504

Fixes: #2503
https://pagure.io/koji/issue/2503
Kojiweb not redirecting properly when behind SSO

---

diff --git a/www/kojiweb/index.py b/www/kojiweb/index.py
index e3c6080..e5e1809 100644
--- a/www/kojiweb/index.py
+++ b/www/kojiweb/index.py
@@ -210,10 +210,11 @@ def _redirect(environ, location):
 
 
 def _redirectBack(environ, page, forceSSL):
+    localurl = '%s://%s' % (environ['REQUEST_SCHEME'], environ['SERVER_NAME'])
     if page:
         # We'll work with the page we were given
         pass
-    elif 'HTTP_REFERER' in environ:
+    elif environ.get('HTTP_REFERER', '').startswith(localurl):
         page = environ['HTTP_REFERER']
     else:
         page = 'index'