diff -r 8ddd6b4a1b58 -r 60961bf7f0d8 roundup/anypy/urllib_.py
--- a/roundup/anypy/urllib_.py	Tue Sep 05 12:20:27 2017 +0300
+++ b/roundup/anypy/urllib_.py	Tue Sep 05 19:43:44 2017 +0300
@@ -1,8 +1,8 @@
 
 try:
     # Python 3+
-    from urllib.parse import quote, urlencode, urlparse, parse_qs, urlunparse
+    from urllib.parse import unquote, quote, urlencode, urlparse, parse_qs, urlunparse
 except:
     # Python 2.5-2.7
-    from urllib import quote, urlencode
+    from urllib import unquote, quote, urlencode
     from urlparse import urlparse, parse_qs, urlunparse
diff -r 8ddd6b4a1b58 -r 60961bf7f0d8 roundup/cgi/actions.py
--- a/roundup/cgi/actions.py	Tue Sep 05 12:20:27 2017 +0300
+++ b/roundup/cgi/actions.py	Tue Sep 05 19:43:44 2017 +0300
@@ -104,18 +104,23 @@
                'url_query': parsed_url_tuple.query,
                'url_fragment': parsed_url_tuple.fragment }
 
-        if parsed_base_url_tuple.scheme == "https":
-            if parsed_url_tuple.scheme != "https":
-                raise ValueError(self._("Base url %(base_url)s requires https. Redirect url %(url)s uses http.")%info)
-        else:
-            if parsed_url_tuple.scheme not in ('http', 'https'):
-                raise ValueError(self._("Unrecognized scheme in %(url)s")%info)
+        if parsed_url_tuple.scheme:
+            if parsed_base_url_tuple.scheme == "https":
+                if parsed_url_tuple.scheme != "https":
+                    raise ValueError(self._("Base url %(base_url)s requires https. Redirect url %(url)s uses http.")%info)
+            else:
+                if parsed_url_tuple.scheme not in ('http', 'https'):
+                    raise ValueError(self._("Unrecognized scheme in %(url)s")%info)
 
-        if parsed_url_tuple.netloc <> parsed_base_url_tuple.netloc:
-            raise ValueError(self._("Net location in %(url)s does not match base: %(base_netloc)s")%info)
+        if parsed_url_tuple.netloc:
+            if parsed_url_tuple.netloc <> parsed_base_url_tuple.netloc:
+                raise ValueError(self._("Net location in %(url)s does not match base: %(base_netloc)s")%info)
 
-        if parsed_url_tuple.path.find(parsed_base_url_tuple.path) <> 0:
-            raise ValueError(self._("Base path %(base_path)s is not a prefix for url %(url)s")%info)
+        # is it possible to hide absolute path (/...) behind %2f...?
+        # If it is unquote path before checking is a wise.
+        if parsed_url_tuple.path and urllib_.unquote(parsed_url_tuple.path)[0] == '/':
+            if parsed_url_tuple.path.find(parsed_base_url_tuple.path) <> 0:
+                raise ValueError(self._("Base path %(base_path)s is not a prefix for url %(url)s")%info)
 
         # I am not sure if this has to be language sensitive.
         # Do ranges depend on the LANG of the user??