summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJannis Leidel <jannis@leidel.info>2011-03-01 22:49:18 +0000
committerJannis Leidel <jannis@leidel.info>2011-03-01 22:49:18 +0000
commitec193224d3580fbcfa78da96a6a7fc4343929dd8 (patch)
tree758e5e868e907146d2bc2b3c4818235432a8b3fa
parentbe4a2e3f3e0a04c87e6c9127cb1011df7c53e9e9 (diff)
Fixed #12534 -- Loosened the the security check for "next" redirects after logins slightly to allow paths that contain spaces. Thanks for the patch, jnns and aaugustin.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15702 bcc190cf-cafb-0310-a4f2-bffc1f526a37
-rw-r--r--django/contrib/auth/tests/views.py5
-rw-r--r--django/contrib/auth/views.py6
2 files changed, 7 insertions, 4 deletions
diff --git a/django/contrib/auth/tests/views.py b/django/contrib/auth/tests/views.py
index a9bcd95434..530956ae45 100644
--- a/django/contrib/auth/tests/views.py
+++ b/django/contrib/auth/tests/views.py
@@ -236,7 +236,9 @@ class LoginTest(AuthViewsTestCase):
'/view?param=ftp://exampel.com',
'view/?param=//example.com',
'https:///',
- '//testserver/'):
+ '//testserver/',
+ '/url%20with%20spaces/', # see ticket #12534
+ ):
safe_url = '%(url)s?%(next)s=%(good_url)s' % {
'url': login_url,
'next': REDIRECT_FIELD_NAME,
@@ -251,6 +253,7 @@ class LoginTest(AuthViewsTestCase):
self.assertTrue(good_url in response['Location'],
"%s should be allowed" % good_url)
+
class LoginURLSettings(AuthViewsTestCase):
urls = 'django.contrib.auth.tests.urls'
diff --git a/django/contrib/auth/views.py b/django/contrib/auth/views.py
index 8d0453f8f9..c34a4a377e 100644
--- a/django/contrib/auth/views.py
+++ b/django/contrib/auth/views.py
@@ -34,11 +34,11 @@ def login(request, template_name='registration/login.html',
if form.is_valid():
netloc = urlparse.urlparse(redirect_to)[1]
- # Light security check -- make sure redirect_to isn't garbage.
- if not redirect_to or ' ' in redirect_to:
+ # Use default setting if redirect_to is empty
+ if not redirect_to:
redirect_to = settings.LOGIN_REDIRECT_URL
- # Heavier security check -- don't allow redirection to a different
+ # Security check -- don't allow redirection to a different
# host.
elif netloc and netloc != request.get_host():
redirect_to = settings.LOGIN_REDIRECT_URL