Confirmation link should not include invalid takemeback urls
From the security inbox (the confirmation URL is expired):
I found a bug on your site. So, please click the and see the url.. https://accounts.eclipse.org/user/login/?takemeback=https%3A%2F%2Fwww.eclipse.org%2Fsecurity%2Fknown.php
Its normal URL but we change to thee - https://accounts.eclipse.org/user/login/?takemeback=https%3A%2F%2Fwww.evil.com%2Fsecurity%2Fknown.php
BOOM and we click to signup and register to the system.. Email confirmation sent the to email you see :))) To confirm your registration, please visit this URL:
I consider the risk very low here since the system does not redirect if the URL is not in our list of valid domains to re-direct to. However, I am creating this issue to remove the takemeback query variable from confirmation emails if the domain is considered valid (eclipse.org web property).