From caca074161977fcbd7d3d0cd0e02b42efb3e8184 Mon Sep 17 00:00:00 2001
From: jeremystretch <jstretch@ns1.com>
Date: Mon, 8 Aug 2022 14:21:42 -0400
Subject: [PATCH] Fixes #9950: Prevent redirection to arbitrary URLs via 'next'
 parameter on login URL

---
 docs/release-notes/version-3.2.md | 1 +
 netbox/users/views.py             | 3 ++-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/docs/release-notes/version-3.2.md b/docs/release-notes/version-3.2.md
index f231b6e58..46718837e 100644
--- a/docs/release-notes/version-3.2.md
+++ b/docs/release-notes/version-3.2.md
@@ -23,6 +23,7 @@
 * [#9919](https://github.com/netbox-community/netbox/issues/9919) - Fix potential XSS avenue via linked objects in tables
 * [#9948](https://github.com/netbox-community/netbox/issues/9948) - Fix TypeError exception when requesting API tokens list as non-authenticated user
 * [#9949](https://github.com/netbox-community/netbox/issues/9949) - Fix KeyError exception resulting from invalid API token provisioning request
+* [#9950](https://github.com/netbox-community/netbox/issues/9950) - Prevent redirection to arbitrary URLs via `next` parameter on login URL
 * [#9952](https://github.com/netbox-community/netbox/issues/9952) - Prevent InvalidMove when attempting to assign a nested child object as parent
 
 ---
diff --git a/netbox/users/views.py b/netbox/users/views.py
index 344f375fc..f08cac844 100644
--- a/netbox/users/views.py
+++ b/netbox/users/views.py
@@ -10,6 +10,7 @@ from django.http import HttpResponseRedirect
 from django.shortcuts import get_object_or_404, redirect, render
 from django.urls import reverse
 from django.utils.decorators import method_decorator
+from django.utils.http import url_has_allowed_host_and_scheme
 from django.views.decorators.debug import sensitive_post_parameters
 from django.views.generic import View
 from social_core.backends.utils import load_backends
@@ -91,7 +92,7 @@ class LoginView(View):
         data = request.POST if request.method == "POST" else request.GET
         redirect_url = data.get('next', settings.LOGIN_REDIRECT_URL)
 
-        if redirect_url and redirect_url.startswith('/'):
+        if redirect_url and url_has_allowed_host_and_scheme(redirect_url, allowed_hosts=None):
             logger.debug(f"Redirecting user to {redirect_url}")
         else:
             if redirect_url: