diff options
| author | Florian Apolloner <florian@apolloner.eu> | 2012-11-17 22:00:53 +0100 |
|---|---|---|
| committer | Florian Apolloner <florian@apolloner.eu> | 2012-12-10 22:14:16 +0100 |
| commit | b2ae0a63aeec741f1e51bac9a95a27fd635f9652 (patch) | |
| tree | 7635165e2aafa25d89d74b27e33bcd2bcf6e0910 /django/contrib/auth | |
| parent | 8c9a8fd5c4e5ed157d2d5fa09f3d6d05d2290bbf (diff) | |
[1.4.X] Fixed #18856 -- Ensured that redirects can't be poisoned by malicious users.
Diffstat (limited to 'django/contrib/auth')
| -rw-r--r-- | django/contrib/auth/views.py | 51 |
1 files changed, 22 insertions, 29 deletions
diff --git a/django/contrib/auth/views.py b/django/contrib/auth/views.py index ac88020908..62599b8752 100644 --- a/django/contrib/auth/views.py +++ b/django/contrib/auth/views.py @@ -4,7 +4,7 @@ from django.conf import settings from django.core.urlresolvers import reverse from django.http import HttpResponseRedirect, QueryDict from django.template.response import TemplateResponse -from django.utils.http import base36_to_int +from django.utils.http import base36_to_int, is_safe_url from django.utils.translation import ugettext as _ from django.views.decorators.debug import sensitive_post_parameters from django.views.decorators.cache import never_cache @@ -34,18 +34,11 @@ def login(request, template_name='registration/login.html', if request.method == "POST": form = authentication_form(data=request.POST) if form.is_valid(): - netloc = urlparse.urlparse(redirect_to)[1] - - # Use default setting if redirect_to is empty - if not redirect_to: - redirect_to = settings.LOGIN_REDIRECT_URL - - # Heavier security check -- don't allow redirection to a different - # host. - elif netloc and netloc != request.get_host(): + # Ensure the user-originating redirection url is safe. + if not is_safe_url(url=redirect_to, host=request.get_host()): redirect_to = settings.LOGIN_REDIRECT_URL - # Okay, security checks complete. Log the user in. + # Okay, security check complete. Log the user in. auth_login(request, form.get_user()) if request.session.test_cookie_worked(): @@ -78,27 +71,27 @@ def logout(request, next_page=None, Logs out the user and displays 'You are logged out' message. """ auth_logout(request) - redirect_to = request.REQUEST.get(redirect_field_name, '') - if redirect_to: - netloc = urlparse.urlparse(redirect_to)[1] + + if redirect_field_name in request.REQUEST: + next_page = request.REQUEST[redirect_field_name] # Security check -- don't allow redirection to a different host. - if not (netloc and netloc != request.get_host()): - return HttpResponseRedirect(redirect_to) + if not is_safe_url(url=next_page, host=request.get_host()): + next_page = request.path - if next_page is None: - current_site = get_current_site(request) - context = { - 'site': current_site, - 'site_name': current_site.name, - 'title': _('Logged out') - } - if extra_context is not None: - context.update(extra_context) - return TemplateResponse(request, template_name, context, - current_app=current_app) - else: + if next_page: # Redirect to this page until the session has been cleared. - return HttpResponseRedirect(next_page or request.path) + return HttpResponseRedirect(next_page) + + current_site = get_current_site(request) + context = { + 'site': current_site, + 'site_name': current_site.name, + 'title': _('Logged out') + } + if extra_context is not None: + context.update(extra_context) + return TemplateResponse(request, template_name, context, + current_app=current_app) def logout_then_login(request, login_url=None, current_app=None, extra_context=None): """ |