From 1c2e022443dc9bde4597a9dc6ca573ee78b639fa Mon Sep 17 00:00:00 2001
From: Stefan Haun <tux@netz39.de>
Date: Tue, 10 Mar 2020 22:09:35 +0100
Subject: [PATCH] Send 400 when Redmine URI does not start with HTTPS

---
 app.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/app.py b/app.py
index 0da9d78..017dc9b 100644
--- a/app.py
+++ b/app.py
@@ -90,6 +90,8 @@ def get(self):
             redmineurl = self.get_argument('url', None)
             if redmineurl is None or redmineurl == '':
                 raise tornado.web.HTTPError(status_code=400, reason="Redmine URL must not be empty")
+            if not redmineurl.lower().startswith("https"):
+                raise tornado.web.HTTPError(status_code=400, reason="Redmine URL must start with 'HTTPS'")
             apikey = self.get_argument('apikey', None)
             if apikey is None or apikey == '':
                 raise tornado.web.HTTPError(status_code=400, reason="API key URL must not be empty")