X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/e46caaf835e32106e2da5aa7f895435bd4718da6..7db74f672f64b3e647a98c1d8e5978b50d79538d:/lib/controller/localdb/logout.go

diff --git a/lib/controller/localdb/logout.go b/lib/controller/localdb/logout.go
index e1603f1448..04e7681ad7 100644
--- a/lib/controller/localdb/logout.go
+++ b/lib/controller/localdb/logout.go
@@ -33,6 +33,8 @@ func logout(ctx context.Context, cluster *arvados.Cluster, opts arvados.LogoutOp
 		} else {
 			target = cluster.Services.Workbench1.ExternalURL.String()
 		}
+	} else if err := validateLoginRedirectTarget(cluster, target); err != nil {
+		return arvados.LogoutResponse{}, httpserver.ErrorWithStatus(fmt.Errorf("invalid return_to parameter: %s", err), http.StatusBadRequest)
 	}
 	return arvados.LogoutResponse{RedirectLocation: target}, nil
 }