From 0b38d594020ac87bd1011217da08458263acbd51 Mon Sep 17 00:00:00 2001
From: timgl <tim@posthog.com>
Date: Sun, 17 Dec 2023 19:10:45 +0000
Subject: [PATCH] safety

---
 posthog/urls.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/posthog/urls.py b/posthog/urls.py
index e4c5734662723..44eabafc43d46 100644
--- a/posthog/urls.py
+++ b/posthog/urls.py
@@ -17,6 +17,7 @@
     SpectacularSwaggerView,
 )
 from revproxy.views import ProxyView
+from django.utils.http import url_has_allowed_host_and_scheme
 from sentry_sdk import last_event_id
 from two_factor.urls import urlpatterns as tf_urls
 
@@ -91,7 +92,9 @@ def handler500(request):
 @ensure_csrf_cookie
 def home(request, *args, **kwargs):
     if settings.REDIRECT_APP_TO_US and request.get_host().split(":")[0] == "app.posthog.com":
-        return HttpResponseRedirect("https://us.posthog.com{}".format(request.get_full_path()))
+        url = "https://us.posthog.com{}".format(request.get_full_path())
+        if url_has_allowed_host_and_scheme(url, "us.posthog.com", True):
+            return HttpResponseRedirect(url)
     return render_template("index.html", request)