From 1c5f4aaf2e2e9facc82fa1397e3ddba0bb3778d0 Mon Sep 17 00:00:00 2001
From: Alex Bogdanovski <alex@erudika.com>
Date: Mon, 2 Aug 2021 00:16:47 +0300
Subject: [PATCH] fixed possible open redirect bypass on signin page

---
 src/main/java/com/erudika/scoold/utils/HttpUtils.java | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/main/java/com/erudika/scoold/utils/HttpUtils.java b/src/main/java/com/erudika/scoold/utils/HttpUtils.java
index ffcb52c1..14099b3e 100644
--- a/src/main/java/com/erudika/scoold/utils/HttpUtils.java
+++ b/src/main/java/com/erudika/scoold/utils/HttpUtils.java
@@ -311,7 +311,7 @@ public static String getBackToUrl(HttpServletRequest req) {
 		}
 		if ((StringUtils.startsWithIgnoreCase(backtoFromCookie, "http://") ||
 				StringUtils.startsWithIgnoreCase(backtoFromCookie, "https://")) &&
-				!StringUtils.startsWithIgnoreCase(backtoFromCookie, ScooldServer.getServerURL())) {
+				!StringUtils.startsWithIgnoreCase(backtoFromCookie, ScooldServer.getServerURL() + "/")) {
 			backtoFromCookie = "";
 		}
 		return (StringUtils.isBlank(backtoFromCookie) ? HOMEPAGE : backtoFromCookie);