Refs #26902 -- Protected against insecure redirects in Login/LogoutView.

author: Przemysław Suliga <mail@suligap.net> 2016-08-19 13:40:21 +0200
committer: Tim Graham <timograham@gmail.com> 2016-08-19 19:01:01 -0400
commit: 549b90fab33c80d1ba6575d4837ea52d79f70fb1 (patch)
tree: 42b4220bbc3b451c3f8bae8d3c3e5ce54431c53a /tests/auth_tests/test_views.py
parent: 5e5a17028f4b9cfb5ff777d8c259e079bca0c988 (diff)
1 files changed, 32 insertions, 0 deletions
diff --git a/tests/auth_tests/test_views.py b/tests/auth_tests/test_views.py
index e1371f5a35..3b60643a73 100644
--- a/tests/auth_tests/test_views.py
+++ b/tests/auth_tests/test_views.py
@@ -551,6 +551,23 @@ class LoginTest(AuthViewsTestCase):
             self.assertEqual(response.status_code, 302)
             self.assertIn(good_url, response.url, "%s should be allowed" % good_url)
 
+    def test_security_check_https(self):
+        login_url = reverse('login')
+        non_https_next_url = 'http://testserver/path'
+        not_secured_url = '%(url)s?%(next)s=%(next_url)s' % {
+            'url': login_url,
+            'next': REDIRECT_FIELD_NAME,
+            'next_url': urlquote(non_https_next_url),
+        }
+        post_data = {
+            'username': 'testclient',
+            'password': 'password',
+        }
+        response = self.client.post(not_secured_url, post_data, secure=True)
+        self.assertEqual(response.status_code, 302)
+        self.assertNotEqual(response.url, non_https_next_url)
+        self.assertEqual(response.url, settings.LOGIN_REDIRECT_URL)
+
     def test_login_form_contains_request(self):
         # 15198
         self.client.post('/custom_requestauth_login/', {
@@ -919,6 +936,21 @@ class LogoutTest(AuthViewsTestCase):
             self.assertIn(good_url, response.url, "%s should be allowed" % good_url)
             self.confirm_logged_out()
 
+    def test_security_check_https(self):
+        logout_url = reverse('logout')
+        non_https_next_url = 'http://testserver/'
+        url = '%(url)s?%(next)s=%(next_url)s' % {
+            'url': logout_url,
+            'next': REDIRECT_FIELD_NAME,
+            'next_url': urlquote(non_https_next_url),
+        }
+        self.login()
+        response = self.client.get(url, secure=True)
+        self.assertEqual(response.status_code, 302)
+        self.assertNotEqual(response.url, non_https_next_url)
+        self.assertEqual(response.url, logout_url)
+        self.confirm_logged_out()
+
     def test_logout_preserve_language(self):
         """Check that language stored in session is preserved after logout"""
         # Create a new session with language
author	Przemysław Suliga <mail@suligap.net>	2016-08-19 13:40:21 +0200
committer	Tim Graham <timograham@gmail.com>	2016-08-19 19:01:01 -0400
commit	549b90fab33c80d1ba6575d4837ea52d79f70fb1 (patch)
tree	42b4220bbc3b451c3f8bae8d3c3e5ce54431c53a /tests/auth_tests/test_views.py
parent	5e5a17028f4b9cfb5ff777d8c259e079bca0c988 (diff)