return_url ignores `url` parameter from POST request

[dmolesUC]

Steps to reproduce:

1. Configure OmniAuth to only allow POST requests to /auth/:provider as discussed in the Resolving CVE-2015-9284 wiki page.
2. Make a POST request to /auth/calnet, providing a url parameter in the request body:

curl -v 'http://localhost:3000/auth/calnet' \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -d 'url=https%3A%2F%2Fright.example.test%2F'

Expected:

• Location header in response includes the provided URL https://right.example.test/

Actual:

• Location header in response does not include any url parameter

Location: https://auth-test.berkeley.edu/cas/login?
  service=http%3A%2F%2Flocalhost%3A3000%2Fauth%2Fcalnet%2Fcallback%3F

Notes:

The issue is the assumption commented on line 211 here:

omniauth-cas/lib/omniauth/strategies/cas.rb

Lines 210 to 217 in 4ab8a1c

	def return_url
	# If the request already has a `url` parameter, then it will already be appended to the callback URL.
	if request.params && request.params['url']
	{}
	else
	{ url: request.referer }
	end
	end

This only works for GET requests; for POST requests the parameter exists, but was never in in request.query_string to be copied by OmniAuth into the callback URL (see #callback_url and #query_string in OmniAuth::Strategy).

The result is that both the provided url parameter and the Referer header (if provided) are ignored.

[dmolesUC]

I have a pull request ready to go (#67), but all that said, I'm not sure how important this is except as a way of minimizing migration effort, since OmniAuth separately provides more or less the same functionality via the origin param.