From dac81a4164ecb851dd18ed5df4f744bf355dbce5 Mon Sep 17 00:00:00 2001
From: Alex Iribarren <Alex.Iribarren@cern.ch>
Date: Sep 23 2020 11:44:27 +0000
Subject: Only redirect back to HTTP_REFERER if it points to kojiweb


---

diff --git a/www/kojiweb/index.py b/www/kojiweb/index.py
index 33a812d..2a5ae19 100644
--- a/www/kojiweb/index.py
+++ b/www/kojiweb/index.py
@@ -211,10 +211,11 @@ def _redirect(environ, location):
 
 
 def _redirectBack(environ, page, forceSSL):
+    localurl = '%s://%s' % (environ['REQUEST_SCHEME'], environ['SERVER_NAME'])
     if page:
         # We'll work with the page we were given
         pass
-    elif 'HTTP_REFERER' in environ:
+    elif environ.get('HTTP_REFERER', '').startswith(localurl):
         page = environ['HTTP_REFERER']
     else:
         page = 'index'