@bitquark reported a low-risk open redirect on GitHub.com. Rails code such as redirect_to :back could be exploited to redirect a user to an arbitrary location if they were first forwarded to GitHub via a malicious site.

We addressed the behavior by limiting the locations passed via Referer headers that we allow to be used for redirection.