summaryrefslogtreecommitdiff
path: root/django/views
diff options
context:
space:
mode:
authorFlorian Apolloner <florian@apolloner.eu>2012-11-17 22:00:53 +0100
committerFlorian Apolloner <florian@apolloner.eu>2012-12-10 22:13:28 +0100
commitfce1fa0f7fb984d4e76eb81ffc3cb9826046c3b5 (patch)
tree93a70aabbaae9a4be826afeeadb41957224ef3f8 /django/views
parent984cf8417b9f6738e3bc09cbcfb697eeffe441a5 (diff)
[1.5.X] Fixed #18856 -- Ensured that redirects can't be poisoned by malicious users.
Diffstat (limited to 'django/views')
-rw-r--r--django/views/i18n.py11
1 files changed, 6 insertions, 5 deletions
diff --git a/django/views/i18n.py b/django/views/i18n.py
index c1d456d667..c87e3a82db 100644
--- a/django/views/i18n.py
+++ b/django/views/i18n.py
@@ -9,6 +9,7 @@ from django.utils.text import javascript_quote
from django.utils.encoding import smart_text
from django.utils.formats import get_format_modules, get_format
from django.utils._os import upath
+from django.utils.http import is_safe_url
from django.utils import six
def set_language(request):
@@ -22,11 +23,11 @@ def set_language(request):
redirect to the page in the request (the 'next' parameter) without changing
any state.
"""
- next = request.REQUEST.get('next', None)
- if not next:
- next = request.META.get('HTTP_REFERER', None)
- if not next:
- next = '/'
+ next = request.REQUEST.get('next')
+ if not is_safe_url(url=next, host=request.get_host()):
+ next = request.META.get('HTTP_REFERER')
+ if not is_safe_url(url=next, host=request.get_host()):
+ next = '/'
response = http.HttpResponseRedirect(next)
if request.method == 'POST':
lang_code = request.POST.get('language', None)