Fixes #16702: Fix validation of return_url query parameter

netbox-community · Jun 24, 2024 · bfd023c · bfd023c
1 parent f4ac23d
commit bfd023c
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/netbox/utilities/views.py b/netbox/utilities/views.py
@@ -4,6 +4,7 @@
 from django.core.exceptions import ImproperlyConfigured
 from django.urls import reverse
 from django.urls.exceptions import NoReverseMatch
+from django.utils.http import url_has_allowed_host_and_scheme
 from django.utils.translation import gettext_lazy as _
 
 from netbox.plugins import PluginConfig
@@ -123,7 +124,7 @@ def get_return_url(self, request, obj=None):
         # First, see if `return_url` was specified as a query parameter or form data. Use this URL only if it's
         # considered safe.
         return_url = request.GET.get('return_url') or request.POST.get('return_url')
-        if return_url and return_url.startswith('/'):
+        if return_url and url_has_allowed_host_and_scheme(return_url, allowed_hosts=None):
             return return_url
 
         # Next, check if the object being modified (if any) has an absolute URL.