diff options
| author | Jacob Kaplan-Moss <jacob@jacobian.org> | 2010-03-01 19:58:53 +0000 |
|---|---|---|
| committer | Jacob Kaplan-Moss <jacob@jacobian.org> | 2010-03-01 19:58:53 +0000 |
| commit | 6e748b5db4ea6db78ce389f474c2fb78ee3976ed (patch) | |
| tree | 0199bdb5c5f9f674d8de30b8ddc823a8cdf4de01 /django/contrib/auth/views.py | |
| parent | c8015052d935a99a5c8f96434b2d0cd16d8a4e14 (diff) | |
Fixed #11457: tightened the security check for "next" redirects after logins.
The new behavior still disallows redirects to off-site URLs, but now allows
redirects of the form `/some/other/view?foo=http://...`.
Thanks to brutasse.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@12635 bcc190cf-cafb-0310-a4f2-bffc1f526a37
Diffstat (limited to 'django/contrib/auth/views.py')
| -rw-r--r-- | django/contrib/auth/views.py | 27 |
1 files changed, 23 insertions, 4 deletions
diff --git a/django/contrib/auth/views.py b/django/contrib/auth/views.py index d427874df0..b2e875a869 100644 --- a/django/contrib/auth/views.py +++ b/django/contrib/auth/views.py @@ -1,5 +1,8 @@ +import re from django.conf import settings from django.contrib.auth import REDIRECT_FIELD_NAME +# Avoid shadowing the login() view below. +from django.contrib.auth import login as auth_login from django.contrib.auth.decorators import login_required from django.contrib.auth.forms import AuthenticationForm from django.contrib.auth.forms import PasswordResetForm, SetPasswordForm, PasswordChangeForm @@ -20,26 +23,42 @@ from django.views.decorators.cache import never_cache def login(request, template_name='registration/login.html', redirect_field_name=REDIRECT_FIELD_NAME, authentication_form=AuthenticationForm): - "Displays the login form and handles the login action." + """Displays the login form and handles the login action.""" + redirect_to = request.REQUEST.get(redirect_field_name, '') + if request.method == "POST": form = authentication_form(data=request.POST) if form.is_valid(): # Light security check -- make sure redirect_to isn't garbage. - if not redirect_to or '//' in redirect_to or ' ' in redirect_to: + if not redirect_to or ' ' in redirect_to: redirect_to = settings.LOGIN_REDIRECT_URL - from django.contrib.auth import login - login(request, form.get_user()) + + # Heavier security check -- redirects to http://example.com should + # not be allowed, but things like /view/?param=http://example.com + # should be allowed. This regex checks if there is a '//' *before* a + # question mark. + elif '//' in redirect_to and re.match(r'[^\?]*//', redirect_to): + redirect_to = settings.LOGIN_REDIRECT_URL + + # Okay, security checks complete. Log the user in. + auth_login(request, form.get_user()) + if request.session.test_cookie_worked(): request.session.delete_test_cookie() + return HttpResponseRedirect(redirect_to) + else: form = authentication_form(request) + request.session.set_test_cookie() + if Site._meta.installed: current_site = Site.objects.get_current() else: current_site = RequestSite(request) + return render_to_response(template_name, { 'form': form, redirect_field_name: redirect_to, |