patch open redirect in /login

dlqqq · Carreau · commit 789fed081a48 · 2026-05-04T14:28:37.000+02:00
diff --git a/jupyter_server/auth/login.py b/jupyter_server/auth/login.py
@@ -43,6 +43,15 @@ def _redirect_safe(self, url, default=None):
         # \ is not valid in urls, but some browsers treat it as /
         # instead of %5C, causing `\\` to behave as `//`
         url = url.replace("\\", "%5C")
+
+        # Prevent open redirect attacks by blocking URLs that start with //
+        # These are protocol-relative URLs that can redirect to external sites
+        if url.startswith("//"):
+            self.log.warning("Not allowing login redirect to protocol-relative URL %r" % url)
+            url = default
+            self.redirect(url)
+            return
+
         # urllib and browsers interpret extra '/' in the scheme separator (`scheme:///host/path`)
         # differently.
         # urllib gives scheme=scheme, netloc='', path='/host/path', while
