X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/864c3b0afd16c77e046f0072d8517d34c5a44792..34b6ae3f6c8204f87a9498d00f7ebe2b10cda170:/lib/controller/localdb/logout.go

diff --git a/lib/controller/localdb/logout.go b/lib/controller/localdb/logout.go
index e1603f1448..04e7681ad7 100644
--- a/lib/controller/localdb/logout.go
+++ b/lib/controller/localdb/logout.go
@@ -33,6 +33,8 @@ func logout(ctx context.Context, cluster *arvados.Cluster, opts arvados.LogoutOp
 		} else {
 			target = cluster.Services.Workbench1.ExternalURL.String()
 		}
+	} else if err := validateLoginRedirectTarget(cluster, target); err != nil {
+		return arvados.LogoutResponse{}, httpserver.ErrorWithStatus(fmt.Errorf("invalid return_to parameter: %s", err), http.StatusBadRequest)
 	}
 	return arvados.LogoutResponse{RedirectLocation: target}, nil
 }