From 549b90fab33c80d1ba6575d4837ea52d79f70fb1 Mon Sep 17 00:00:00 2001 From: Przemysław Suliga Date: Fri, 19 Aug 2016 13:40:21 +0200 Subject: Refs #26902 -- Protected against insecure redirects in Login/LogoutView. --- docs/releases/1.11.txt | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'docs') diff --git a/docs/releases/1.11.txt b/docs/releases/1.11.txt index d62ea80e8c..64afe7a841 100644 --- a/docs/releases/1.11.txt +++ b/docs/releases/1.11.txt @@ -356,6 +356,13 @@ to assign a free port. The ``DJANGO_LIVE_TEST_SERVER_ADDRESS`` environment variable is no longer used, and as it's also no longer used, the ``manage.py test --liveserver`` option is removed. +Protection against insecure redirects in :mod:`django.contrib.auth` views +------------------------------------------------------------------------- + +``LoginView`` and ``LogoutView`` (and the deprecated function-based equivalents) +protect users from being redirected to non-HTTPS ``next`` URLs when the app +is running over HTTPS. + Miscellaneous ------------- -- cgit v1.3