[1.4.X] Fixed #18856 -- Ensured that redirects can't be poisoned by malicious users.

author: Florian Apolloner <florian@apolloner.eu> 2012-11-17 22:00:53 +0100
committer: Florian Apolloner <florian@apolloner.eu> 2012-12-10 22:14:16 +0100
commit: b2ae0a63aeec741f1e51bac9a95a27fd635f9652 (patch)
tree: 7635165e2aafa25d89d74b27e33bcd2bcf6e0910 /django/contrib/comments
parent: 8c9a8fd5c4e5ed157d2d5fa09f3d6d05d2290bbf (diff)
3 files changed, 13 insertions, 15 deletions
diff --git a/django/contrib/comments/views/comments.py b/django/contrib/comments/views/comments.py
index 57720163c3..20c172f0d2 100644
--- a/django/contrib/comments/views/comments.py
+++ b/django/contrib/comments/views/comments.py
@@ -44,9 +44,6 @@ def post_comment(request, next=None, using=None):
         if not data.get('email', ''):
             data["email"] = request.user.email
 
-    # Check to see if the POST data overrides the view's next argument.
-    next = data.get("next", next)
-
     # Look up the object we're trying to comment about
     ctype = data.get("content_type")
     object_pk = data.get("object_pk")
@@ -98,9 +95,9 @@ def post_comment(request, next=None, using=None):
         ]
         return render_to_response(
             template_list, {
-                "comment" : form.data.get("comment", ""),
-                "form" : form,
-                "next": next,
+                "comment": form.data.get("comment", ""),
+                "form": form,
+                "next": data.get("next", next),
             },
             RequestContext(request, {})
         )
@@ -131,7 +128,7 @@ def post_comment(request, next=None, using=None):
         request = request
     )
 
-    return next_redirect(data, next, comment_done, c=comment._get_pk_val())
+    return next_redirect(request, next, comment_done, c=comment._get_pk_val())
 
 comment_done = confirmation_view(
     template = "comments/posted.html",
diff --git a/django/contrib/comments/views/moderation.py b/django/contrib/comments/views/moderation.py
index fb9e91ef97..1efa10fbd7 100644
--- a/django/contrib/comments/views/moderation.py
+++ b/django/contrib/comments/views/moderation.py
@@ -10,7 +10,6 @@ from django.shortcuts import get_object_or_404, render_to_response
 from django.views.decorators.csrf import csrf_protect
 
 
-
 @csrf_protect
 @login_required
 def flag(request, comment_id, next=None):
@@ -27,7 +26,7 @@ def flag(request, comment_id, next=None):
     # Flag on POST
     if request.method == 'POST':
         perform_flag(request, comment)
-        return next_redirect(request.POST.copy(), next, flag_done, c=comment.pk)
+        return next_redirect(request, next, flag_done, c=comment.pk)
 
     # Render a form on GET
     else:
@@ -54,7 +53,7 @@ def delete(request, comment_id, next=None):
     if request.method == 'POST':
         # Flag the comment as deleted instead of actually deleting it.
         perform_delete(request, comment)
-        return next_redirect(request.POST.copy(), next, delete_done, c=comment.pk)
+        return next_redirect(request, next, delete_done, c=comment.pk)
 
     # Render a form on GET
     else:
@@ -81,7 +80,7 @@ def approve(request, comment_id, next=None):
     if request.method == 'POST':
         # Flag the comment as approved.
         perform_approve(request, comment)
-        return next_redirect(request.POST.copy(), next, approve_done, c=comment.pk)
+        return next_redirect(request, next, approve_done, c=comment.pk)
 
     # Render a form on GET
     else:
diff --git a/django/contrib/comments/views/utils.py b/django/contrib/comments/views/utils.py
index cc985e52d2..94ee2470d5 100644
--- a/django/contrib/comments/views/utils.py
+++ b/django/contrib/comments/views/utils.py
@@ -4,14 +4,15 @@ A few bits of helper functions for comment views.
 
 import urllib
 import textwrap
-from django.http import HttpResponseRedirect
 from django.core import urlresolvers
+from django.http import HttpResponseRedirect
 from django.shortcuts import render_to_response
 from django.template import RequestContext
 from django.core.exceptions import ObjectDoesNotExist
 from django.contrib import comments
+from django.utils.http import is_safe_url
 
-def next_redirect(data, default, default_view, **get_kwargs):
+def next_redirect(request, default, default_view, **get_kwargs):
     """
     Handle the "where should I go next?" part of comment views.
 
@@ -21,9 +22,10 @@ def next_redirect(data, default, default_view, **get_kwargs):
 
     Returns an ``HttpResponseRedirect``.
     """
-    next = data.get("next", default)
-    if next is None:
+    next = request.POST.get('next', default)
+    if not is_safe_url(url=next, host=request.get_host()):
         next = urlresolvers.reverse(default_view)
+
     if get_kwargs:
         if '#' in next:
             tmp = next.rsplit('#', 1)
author	Florian Apolloner <florian@apolloner.eu>	2012-11-17 22:00:53 +0100
committer	Florian Apolloner <florian@apolloner.eu>	2012-12-10 22:14:16 +0100
commit	b2ae0a63aeec741f1e51bac9a95a27fd635f9652 (patch)
tree	7635165e2aafa25d89d74b27e33bcd2bcf6e0910 /django/contrib/comments
parent	8c9a8fd5c4e5ed157d2d5fa09f3d6d05d2290bbf (diff)