return_url ignores `url` parameter from POST request

[dmolesUC]

Steps to reproduce:

1. Configure OmniAuth to only allow POST requests to /auth/:provider as discussed in the Resolving CVE-2015-9284 wiki page.
2. Make a POST request to /auth/calnet, providing a url parameter in the request body:

curl -v 'http://localhost:3000/auth/calnet' \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -d 'url=https%3A%2F%2Fright.example.test%2F'

Expected:

• Location header in response includes the provided URL https://right.example.test/

Actual:

• Location header in response does not include any url parameter

Location: https://auth-test.berkeley.edu/cas/login?
  service=http%3A%2F%2Flocalhost%3A3000%2Fauth%2Fcalnet%2Fcallback%3F

Notes:

The issue is the assumption commented on line 211 here:

https://github.com/dlindahl/omniauth-cas/blob/4ab8a1c9c3333223a547cdd266679b9edf3a0f58/lib/omniauth/strategies/cas.rb#L210-L217

This only works for GET requests; for POST requests the parameter exists, but was never in in request.query_string to be copied by OmniAuth into the callback URL (see #callback_url and #query_string in OmniAuth::Strategy).

The result is that both the provided url parameter and the Referer header (if provided) are ignored.

[dmolesUC]

I have a pull request ready to go (#67), but all that said, I'm not sure how important this is except as a way of minimizing migration effort, since OmniAuth separately provides more or less the same functionality via the origin param.