cf7bc66b112f6a96139222a17b1ae2211f8031f3
galt
  Fri Dec 7 19:52:20 2018 -0800
cartReset as too permissive allowing Open Redirect problems. Reported by Anthony. refs #22596

diff --git src/hg/cartReset/cartReset.c src/hg/cartReset/cartReset.c
index 900fccb..28956d9 100644
--- src/hg/cartReset/cartReset.c
+++ src/hg/cartReset/cartReset.c
@@ -24,26 +24,29 @@
 //a clickable link for browsers that do not support meta refresh 
 printf("Your settings are now reset to defaults.<BR>");
 char *destination = cgiUsualString("destination", defaultDestination);
 printf("You will be automatically redirected to the gateway page in 0 second,\n"
 " or you can <BR> <A href=\"%s\">click here to continue</A>.\n",
        destination);
 */
 }
 
 int main(int argc, char *argv[])
 /* Process command line. */
 {
 long enteredMainTime = clock1000();
 struct dyString *headText = newDyString(512);
 char *destination = cgiUsualString("destination", defaultDestination);
+if (strstr(destination, "://"))
+    errAbort("To stop Open Redirect abuse, only relative URLs are supported. "
+	    "Request for destination=[%s] rejected.\n", destination);
 
 dyStringPrintf(headText,
 	       "<META HTTP-EQUIV=\"REFRESH\" CONTENT=\"0;URL=%s\">"
 	       "<META HTTP-EQUIV=\"Pragma\" CONTENT=\"no-cache\">"
 	       "<META HTTP-EQUIV=\"Expires\" CONTENT=\"-1\">"
 	       ,destination);
 htmShellWithHead("Reset Cart", headText->string, doMiddle, NULL);
 dyStringFree(&headText);
 cgiExitTime("cartReset", enteredMainTime);
 return 0;
 }