21025: Handle api_token as a list throughout keep-web handler
The previous code used `Request.FormValue("api_token") == ""` to
determine whether or not an API token was provided. However, this empty
string value could be returned both when there was no API token, or if
an attacker explicitly passed `api_token=`. An attacker could take
advantage of this flattening to bypass the intended redirect and
introspect API tokens in the URL.
Arvados-DCO-1.1-Signed-off-by: Brett Smith <brett.smith@curii.com>
projects / arvados.git / commit