diff --git a/kallithea/controllers/login.py b/kallithea/controllers/login.py
--- a/kallithea/controllers/login.py
+++ b/kallithea/controllers/login.py
@@ -76,7 +76,10 @@ class LoginController(BaseController):
 
     def index(self):
         c.came_from = safe_str(request.GET.pop('came_from', ''))
-        if self._validate_came_from(c.came_from):
+        if c.came_from:
+            if not self._validate_came_from(c.came_from):
+                log.error('Invalid came_from (not server-relative): %r', c.came_from)
+                raise HTTPBadRequest()
             came_from = url(c.came_from, **request.GET)
         else:
             c.came_from = came_from = url('home')