From 6a52f76635e747760503376109b137466a48b79f Mon Sep 17 00:00:00 2001
From: Mihai Parparita <mihai@persistent.info>
Date: Sat, 6 Dec 2014 14:50:40 -0800
Subject: [PATCH] Fix continue URL validation.

When running in production http.Reqest.URL is an absolute URL, so we shouldn't
check for leading slashes. Instead check for the hostname matching (which also
works for relative URLs on localhost).
---
 app/retrogit.go | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/app/retrogit.go b/app/retrogit.go
index 6f96c32..08aebaa 100644
--- a/app/retrogit.go
+++ b/app/retrogit.go
@@ -9,7 +9,6 @@ import (
 	"net/http"
 	"net/url"
 	"strconv"
-	"strings"
 	"sync"
 	"time"
 
@@ -329,7 +328,13 @@ func githubOAuthCallbackHandler(w http.ResponseWriter, r *http.Request) *AppErro
 	session.Values[sessionConfig.UserIdKey] = user.ID
 	session.Save(r, w)
 	continueUrl := r.FormValue("continue_url")
-	if continueUrl == "" || !strings.HasPrefix(continueUrl, "/") {
+	if continueUrl != "" {
+		continueUrlParsed, err := url.Parse(continueUrl)
+		if err != nil || continueUrlParsed.Host != r.URL.Host {
+			continueUrl = ""
+		}
+	}
+	if continueUrl == "" {
 		indexUrl, _ := router.Get("index").URL()
 		continueUrl = indexUrl.String()
 	}