summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAymeric Augustin <aymeric.augustin@m4x.org>2022-04-18 16:33:10 +0200
committerGitHub <noreply@github.com>2022-04-18 16:33:10 +0200
commit5591a72571b8a07c5e3d87dcfe08310bb7611d15 (patch)
tree152065942c5e56eb44dcb66e6234e9e00449e478
parentfe7cb345448822528ce0447141810c27f9e56cff (diff)
Fixed #33648 -- Prevented extra redirect in LogoutView on invalid next page when LOGOUT_REDIRECT_URL is set.
-rw-r--r--django/contrib/auth/views.py5
-rw-r--r--tests/auth_tests/test_views.py6
2 files changed, 10 insertions, 1 deletions
diff --git a/django/contrib/auth/views.py b/django/contrib/auth/views.py
index f86debde00..5de3989ffc 100644
--- a/django/contrib/auth/views.py
+++ b/django/contrib/auth/views.py
@@ -175,7 +175,10 @@ class LogoutView(SuccessURLAllowedHostsMixin, TemplateView):
# Security check -- Ensure the user-originating redirection URL is
# safe.
if not url_is_safe:
- next_page = self.request.path
+ if settings.LOGOUT_REDIRECT_URL:
+ next_page = resolve_url(settings.LOGOUT_REDIRECT_URL)
+ else:
+ next_page = self.request.path
return next_page
def get_context_data(self, **kwargs):
diff --git a/tests/auth_tests/test_views.py b/tests/auth_tests/test_views.py
index 622a40de22..dbff931753 100644
--- a/tests/auth_tests/test_views.py
+++ b/tests/auth_tests/test_views.py
@@ -1335,6 +1335,12 @@ class LogoutTest(AuthViewsTestCase):
response = self.client.post("/logout/")
self.assertRedirects(response, "/custom/", fetch_redirect_response=False)
+ @override_settings(LOGOUT_REDIRECT_URL="/custom/")
+ def test_logout_redirect_url_setting_allowed_hosts_unsafe_host(self):
+ self.login()
+ response = self.client.post("/logout/allowed_hosts/?next=https://evil/")
+ self.assertRedirects(response, "/custom/", fetch_redirect_response=False)
+
@override_settings(LOGOUT_REDIRECT_URL="logout")
def test_logout_redirect_url_named_setting(self):
self.login()