Fixed #12534 -- Loosened the the security check for "next" redirects after... (ec193224) · Commits · Dom Sekotill / django

django/contrib/auth/tests/views.py

+4 −1

Original line number	Diff line number	Diff line
		@@ -236,7 +236,9 @@ class LoginTest(AuthViewsTestCase):
		'/view?param=ftp://exampel.com',
		'view/?param=//example.com',
		'https:///',
		'//testserver/'):
		'//testserver/',
		'/url%20with%20spaces/', # see ticket #12534
		):
		safe_url = '%(url)s?%(next)s=%(good_url)s' % {
		'url': login_url,
		'next': REDIRECT_FIELD_NAME,
		@@ -251,6 +253,7 @@ class LoginTest(AuthViewsTestCase):
		self.assertTrue(good_url in response['Location'],
		"%s should be allowed" % good_url)


		class LoginURLSettings(AuthViewsTestCase):
		urls = 'django.contrib.auth.tests.urls'

+3 −3

Original line number	Diff line number	Diff line
		@@ -34,11 +34,11 @@ def login(request, template_name='registration/login.html',
		if form.is_valid():
		netloc = urlparse.urlparse(redirect_to)[1]

		# Light security check -- make sure redirect_to isn't garbage.
		if not redirect_to or ' ' in redirect_to:
		# Use default setting if redirect_to is empty
		if not redirect_to:
		redirect_to = settings.LOGIN_REDIRECT_URL

		# Heavier security check -- don't allow redirection to a different
		# Security check -- don't allow redirection to a different
		# host.
		elif netloc and netloc != request.get_host():
		redirect_to = settings.LOGIN_REDIRECT_URL