From 09e0c4079221560f771f0e25dec86dce43d28a39 Mon Sep 17 00:00:00 2001
From: Mark McDowall <mark@mcdowall.ca>
Date: Tue, 20 Aug 2024 14:46:36 -0700
Subject: [PATCH] Fixed: Limit redirects after login to local paths

(cherry picked from commit 14005d8d1054eafaba808337a109d5812f3e79e6)
---
 src/Readarr.Http/Authentication/AuthenticationController.cs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Readarr.Http/Authentication/AuthenticationController.cs b/src/Readarr.Http/Authentication/AuthenticationController.cs
index 64def970f..c1477e2a6 100644
--- a/src/Readarr.Http/Authentication/AuthenticationController.cs
+++ b/src/Readarr.Http/Authentication/AuthenticationController.cs
@@ -47,7 +47,7 @@ namespace Readarr.Http.Authentication
 
             await HttpContext.SignInAsync(AuthenticationType.Forms.ToString(), new ClaimsPrincipal(new ClaimsIdentity(claims, "Cookies", "user", "identifier")), authProperties);
 
-            if (returnUrl.IsNullOrWhiteSpace())
+            if (returnUrl.IsNullOrWhiteSpace() || !Url.IsLocalUrl(returnUrl))
             {
                 return Redirect(_configFileProvider.UrlBase + "/");
             }