diff options
| author | Florian Apolloner <florian@apolloner.eu> | 2012-11-17 22:00:53 +0100 |
|---|---|---|
| committer | Florian Apolloner <florian@apolloner.eu> | 2012-12-10 22:13:28 +0100 |
| commit | fce1fa0f7fb984d4e76eb81ffc3cb9826046c3b5 (patch) | |
| tree | 93a70aabbaae9a4be826afeeadb41957224ef3f8 /django/views | |
| parent | 984cf8417b9f6738e3bc09cbcfb697eeffe441a5 (diff) | |
[1.5.X] Fixed #18856 -- Ensured that redirects can't be poisoned by malicious users.
Diffstat (limited to 'django/views')
| -rw-r--r-- | django/views/i18n.py | 11 |
1 files changed, 6 insertions, 5 deletions
diff --git a/django/views/i18n.py b/django/views/i18n.py index c1d456d667..c87e3a82db 100644 --- a/django/views/i18n.py +++ b/django/views/i18n.py @@ -9,6 +9,7 @@ from django.utils.text import javascript_quote from django.utils.encoding import smart_text from django.utils.formats import get_format_modules, get_format from django.utils._os import upath +from django.utils.http import is_safe_url from django.utils import six def set_language(request): @@ -22,11 +23,11 @@ def set_language(request): redirect to the page in the request (the 'next' parameter) without changing any state. """ - next = request.REQUEST.get('next', None) - if not next: - next = request.META.get('HTTP_REFERER', None) - if not next: - next = '/' + next = request.REQUEST.get('next') + if not is_safe_url(url=next, host=request.get_host()): + next = request.META.get('HTTP_REFERER') + if not is_safe_url(url=next, host=request.get_host()): + next = '/' response = http.HttpResponseRedirect(next) if request.method == 'POST': lang_code = request.POST.get('language', None) |
