X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/9828e9218084856240fdeafa2d388d8bf322e655..09cbdc3074b3f1e69c9c537875146f6da0a6ed8f:/lib/controller/localdb/logout.go

diff --git a/lib/controller/localdb/logout.go b/lib/controller/localdb/logout.go
index e1603f1448..04e7681ad7 100644
--- a/lib/controller/localdb/logout.go
+++ b/lib/controller/localdb/logout.go
@@ -33,6 +33,8 @@ func logout(ctx context.Context, cluster *arvados.Cluster, opts arvados.LogoutOp
 		} else {
 			target = cluster.Services.Workbench1.ExternalURL.String()
 		}
+	} else if err := validateLoginRedirectTarget(cluster, target); err != nil {
+		return arvados.LogoutResponse{}, httpserver.ErrorWithStatus(fmt.Errorf("invalid return_to parameter: %s", err), http.StatusBadRequest)
 	}
 	return arvados.LogoutResponse{RedirectLocation: target}, nil
 }