diff --git a/app/controllers/static_controller.rb b/app/controllers/static_controller.rb
index 2d16f24bf29..77a53d808a6 100644
--- a/app/controllers/static_controller.rb
+++ b/app/controllers/static_controller.rb
@@ -133,7 +133,8 @@ class StaticController < ApplicationController
         forum_uri = URI(Discourse.base_url)
         uri = URI(redirect_location)
 
-        if uri.path.present? && (uri.host.blank? || uri.host == forum_uri.host) && uri.path !~ /\./
+        if uri.path.present? && (uri.host.blank? || uri.host == forum_uri.host) &&
+             uri.path =~ %r{\A\/{1}[^\.\s]*\z}
           destination = "#{uri.path}#{uri.query ? "?#{uri.query}" : ""}"
         end
       rescue URI::Error
@@ -141,7 +142,7 @@ class StaticController < ApplicationController
       end
     end
 
-    redirect_to destination
+    redirect_to(destination, allow_other_host: false)
   end
 
   FAVICON ||= -"favicon"
diff --git a/spec/requests/static_controller_spec.rb b/spec/requests/static_controller_spec.rb
index 65060a8393b..3790fa3c2e7 100644
--- a/spec/requests/static_controller_spec.rb
+++ b/spec/requests/static_controller_spec.rb
@@ -290,7 +290,7 @@ RSpec.describe StaticController do
       end
     end
 
-    context "with a full url to someone else" do
+    context "with a full url to an external host" do
       it "redirects to the root path" do
         post "/login.json", params: { redirect: "http://eviltrout.com/foo" }
         expect(response).to redirect_to("/")
@@ -320,6 +320,13 @@ RSpec.describe StaticController do
         expect(response).to redirect_to("/")
       end
     end
+
+    context "when the redirect path is invalid" do
+      it "redirects to the root URL" do
+        post "/login.json", params: { redirect: "test" }
+        expect(response).to redirect_to("/")
+      end
+    end
   end
 
   describe "#service_worker_asset" do