From 3b2f681adb510cc8c4309f1f2eefdad4f9f552f0 Mon Sep 17 00:00:00 2001
From: Vincent Driessen <vincent@3rdcloud.com>
Date: Mon, 30 Apr 2012 08:03:37 +0200
Subject: [PATCH] Replace only the scheme part of the URL.

This prevents accidental rewrites of any HTTP URLs in query string
parameters, like for example:

    http://localhost/translate?src=http://non-secure-site.org/
---
 flask_sslify.py | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/flask_sslify.py b/flask_sslify.py
index 69b54b4..0e30f5b 100644
--- a/flask_sslify.py
+++ b/flask_sslify.py
@@ -43,10 +43,11 @@ class SSLify(object):
         ]
 
         if not any(criteria):
-            url = request.url.replace('http://', 'https://')
-            r = redirect(url)
+            if request.url.startswith('http://'):
+                url = request.url.replace('http://', 'https://', 1)
+                r = redirect(url)
 
-            return r
+                return r
 
     def set_hsts_header(self, response):
         """Adds HSTS header to each response."""