From 0c8a4724055d9c8e48fb2473c3c7769771f16549 Mon Sep 17 00:00:00 2001
From: Trey <73353716+TreyWW@users.noreply.github.com>
Date: Sat, 19 Oct 2024 21:05:23 +0100
Subject: [PATCH] Fix code scanning alert no. 20: URL redirection from remote
 source

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 backend/core/views/auth/login.py | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/backend/core/views/auth/login.py b/backend/core/views/auth/login.py
index c8f607d55..57d60d804 100644
--- a/backend/core/views/auth/login.py
+++ b/backend/core/views/auth/login.py
@@ -10,6 +10,7 @@
 from django.shortcuts import render, redirect
 from django.urls import resolve, reverse
 from django.urls.exceptions import Resolver404
+from django.utils.http import url_has_allowed_host_and_scheme
 from django.utils.decorators import method_decorator
 from django.views import View
 from django.views.decorators.http import require_GET, require_POST
@@ -76,10 +77,13 @@ def login_manual(request: HttpRequest):
         messages.warning(request, "You have been requested by an administrator to change your account password.")
         return redirect("settings:change_password")
 
-    try:
-        resolve(redirect_url)
-        return redirect(redirect_url)
-    except Resolver404:
+    if url_has_allowed_host_and_scheme(redirect_url, allowed_hosts=None):
+        try:
+            resolve(redirect_url)
+            return redirect(redirect_url)
+        except Resolver404:
+            return redirect("dashboard")
+    else:
         return redirect("dashboard")