update redirect login checks

RRosio · RRosio · commit a9a85861eccd · 2022-08-08T08:30:44.000-07:00
diff --git a/notebook/auth/login.py b/notebook/auth/login.py
@@ -6,7 +6,7 @@
 import re
 import os
 
-from urllib.parse import urlparse
+from urllib.parse import urlparse, urlunparse
 
 import uuid
 
@@ -42,15 +42,18 @@ def _redirect_safe(self, url, default=None):
         # instead of %5C, causing `\\` to behave as `//`
         url = url.replace("\\", "%5C")
         parsed = urlparse(url)
-        if parsed.netloc or not (parsed.path + '/').startswith(self.base_url):
+        path_only = urlunparse(parsed._replace(netloc='', scheme=''))
+        if url != path_only or not (parsed.path + '/').startswith(self.base_url):
             # require that next_url be absolute path within our path
             allow = False
             # OR pass our cross-origin check
-            if parsed.netloc:
+            if url != path_only:
                 # if full URL, run our cross-origin check:
                 origin = f'{parsed.scheme}://{parsed.netloc}'
                 origin = origin.lower()
-                if self.allow_origin:
+                if origin == f'{self.request.protocol}://{self.request.host}':
+                    allow = True
+                elif self.allow_origin:
                     allow = self.allow_origin == origin
                 elif self.allow_origin_pat:
                     allow = bool(self.allow_origin_pat.match(origin))
