Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tom@curii.com>
return
}
+var errUserinfoInRedirectTarget = errors.New("redirect target rejected because it contains userinfo")
+
func validateLoginRedirectTarget(cluster *arvados.Cluster, returnTo string) error {
u, err := url.Parse(returnTo)
if err != nil {
if err != nil {
return err
}
+ if u.User != nil {
+ return errUserinfoInRedirectTarget
+ }
target := origin(*u)
for trusted := range cluster.Login.TrustedClients {
trustedOrigin := origin(url.URL(trusted))