diff --git a/config/alfresco/web-client-config-properties.xml b/config/alfresco/web-client-config-properties.xml
index cb3015c162..12256586f9 100644
--- a/config/alfresco/web-client-config-properties.xml
+++ b/config/alfresco/web-client-config-properties.xml
@@ -535,8 +535,8 @@
          <show-property name="bpm:taskId" />
          <show-property name="bpm:description" component-generator="TextAreaGenerator" read-only="true"/>
          <show-property name="wcmwf:label" read-only="true" />
-         <show-property name="wcmwf:launchDate" read-only="true" />
-         <show-property name="wcmwf:autoDeploy" read-only="true" />
+         <show-property name="wcmwf:launchDate" />
+         <show-property name="wcmwf:autoDeploy" />
          <show-property name="bpm:status" />
          <show-property name="bpm:comment" component-generator="TextAreaGenerator" />
       </property-sheet>
@@ -548,8 +548,8 @@
          <show-property name="bpm:taskId" />
          <show-property name="bpm:description" component-generator="TextAreaGenerator" read-only="true"/>
          <show-property name="wcmwf:label" read-only="true" />
-         <show-property name="wcmwf:launchDate" read-only="true"/>
-         <show-property name="wcmwf:autoDeploy" read-only="true" />
+         <show-property name="wcmwf:launchDate" />
+         <show-property name="wcmwf:autoDeploy" />
          <show-property name="bpm:status" />
          <show-property name="bpm:comment" component-generator="TextAreaGenerator" />
          <separator name="sep2" display-label-id="wf_reviewers" component-generator="HeaderSeparatorGenerator" />
@@ -564,8 +564,8 @@
          <show-property name="bpm:taskId" />
          <show-property name="bpm:description" component-generator="TextAreaGenerator" read-only="true"/>
          <show-property name="wcmwf:label" read-only="true" />
-         <show-property name="wcmwf:launchDate" read-only="true"/>
-         <show-property name="wcmwf:autoDeploy" read-only="true" />
+         <show-property name="wcmwf:launchDate" />
+         <show-property name="wcmwf:autoDeploy" />
          <show-property name="bpm:status" />
          <show-property name="bpm:comment" component-generator="TextAreaGenerator" />
          <separator name="sep2" display-label-id="wf_reviewers" component-generator="HeaderSeparatorGenerator" />
@@ -593,8 +593,8 @@
          <show-property name="bpm:taskId" />
          <show-property name="bpm:description" component-generator="TextAreaGenerator" read-only="true"/>
          <show-property name="wcmwf:label" read-only="true" />
-         <show-property name="wcmwf:launchDate" read-only="true" />
-         <show-property name="wcmwf:autoDeploy" read-only="true" />
+         <show-property name="wcmwf:launchDate" />
+         <show-property name="wcmwf:autoDeploy" />
          <show-property name="bpm:comment" component-generator="TextAreaGenerator" />
          <separator name="sep2" display-label-id="wf_review_status" component-generator="HeaderSeparatorGenerator" />
          <show-property name="wcmwf:reviewType" read-only="true"/>
@@ -609,8 +609,8 @@
          <show-property name="bpm:taskId" />
          <show-property name="bpm:description" component-generator="TextAreaGenerator" read-only="true"/>
          <show-property name="wcmwf:label" read-only="true" />
-         <show-property name="wcmwf:launchDate" read-only="true" />
-         <show-property name="wcmwf:autoDeploy" read-only="true" />
+         <show-property name="wcmwf:launchDate" />
+         <show-property name="wcmwf:autoDeploy" />
          <show-property name="bpm:comment" component-generator="TextAreaGenerator" />
          <separator name="sep2" display-label-id="wf_review_status" component-generator="HeaderSeparatorGenerator" />
          <show-property name="wcmwf:reviewType" read-only="true"/>
@@ -625,8 +625,8 @@
          <show-property name="bpm:taskId" />
          <show-property name="bpm:description" component-generator="TextAreaGenerator" read-only="true"/>
          <show-property name="wcmwf:label" read-only="true" />
-         <show-property name="wcmwf:launchDate" read-only="true" />
-         <show-property name="wcmwf:autoDeploy" read-only="true" />
+         <show-property name="wcmwf:launchDate" />
+         <show-property name="wcmwf:autoDeploy" />
          <show-property name="bpm:comment" component-generator="TextAreaGenerator" />
          <separator name="sep2" display-label-id="wf_review_status" component-generator="HeaderSeparatorGenerator" />
          <show-property name="wcmwf:reviewType" read-only="true"/>
diff --git a/source/java/org/alfresco/web/app/servlet/CommandServlet.java b/source/java/org/alfresco/web/app/servlet/CommandServlet.java
index 588bc54078..57af0f9d0d 100644
--- a/source/java/org/alfresco/web/app/servlet/CommandServlet.java
+++ b/source/java/org/alfresco/web/app/servlet/CommandServlet.java
@@ -20,6 +20,8 @@ package org.alfresco.web.app.servlet;
 
 import java.io.IOException;
 import java.io.PrintWriter;
+import java.net.MalformedURLException;
+import java.net.URL;
 import java.util.Enumeration;
 import java.util.HashMap;
 import java.util.Map;
@@ -165,6 +167,7 @@ public class CommandServlet extends BaseServlet
          String returnPage = req.getParameter(ARG_RETURNPAGE);
          if (returnPage != null && returnPage.length() != 0)
          {
+            validateReturnPage(returnPage, req);
             if (logger.isDebugEnabled())
                logger.debug("Redirecting to specified return page: " + returnPage);
             
@@ -192,6 +195,37 @@ public class CommandServlet extends BaseServlet
       }
    }
 
+   /**
+    * ALF-9113 CommandServlet.java, line 179 (Header Manipulation)
+    * 
+    * Validates that the redirect page is within the current context.
+    * 
+    * Examples of valid redirect pages:
+    * <ul>
+    *   <li>/alfresco/faces/jsp/browse/browse.jsp</li>
+    *   <li>../../browse/browse.jsp</li>
+    * </ul>  
+    * 
+    * @param pageUrl
+    * @param req
+    * @throws MalformedURLException 
+    * @throws IllegalArgumentException
+    */
+   private void validateReturnPage(String pageUrl, HttpServletRequest req) throws MalformedURLException
+   {
+       if (pageUrl.indexOf(':') != -1)
+       {
+           // ':' only allowed in a URL as part of a scheme prefix
+           throw new IllegalArgumentException("The redirect URL doesn't support absolute URls");
+       }
+       // Evaluate it relative to the request URL and strip out .. and .
+       pageUrl = new URL(new URL(req.getRequestURL().toString()), pageUrl).getPath();
+       if (!pageUrl.startsWith(req.getContextPath()))
+       {
+           throw new IllegalArgumentException("The redirect URL must be in the same context.");
+       }
+   }
+   
    /**
     * Created the specified CommandProcessor instance. The name of the processor is looked up
     * in the client config, it should find a valid class impl and then create it.