Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Fixed #5227 -- Made the redirect security check in django.contrib.aut…

…h.views.login() tighter. Thanks, Sander Dijkhuis

git-svn-id: http://code.djangoproject.com/svn/django/trunk@6004 bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information...
commit 375c88d2bcb98e80b38b0ad3b6e7116b80c13064 1 parent b3103fe
@adrianholovaty adrianholovaty authored
Showing with 2 additions and 1 deletion.
  1. +1 −0  AUTHORS
  2. +1 −1  django/contrib/auth/views.py
View
1  AUTHORS
@@ -94,6 +94,7 @@ answer newbie questions, and generally made Django that much better:
Alex Dedul
deric@monowerks.com
Max Derkachev <mderk@yandex.ru>
+ Sander Dijkhuis <sander.dijkhuis@gmail.com>
Jordan Dimov <s3x3y1@gmail.com>
dne@mayonnaise.net
Maximillian Dornseif <md@hudora.de>
View
2  django/contrib/auth/views.py
@@ -17,7 +17,7 @@ def login(request, template_name='registration/login.html'):
errors = manipulator.get_validation_errors(request.POST)
if not errors:
# Light security check -- make sure redirect_to isn't garbage.
- if not redirect_to or '://' in redirect_to or ' ' in redirect_to:
+ if not redirect_to or '//' in redirect_to or ' ' in redirect_to:
from django.conf import settings
redirect_to = settings.LOGIN_REDIRECT_URL
from django.contrib.auth import login

0 comments on commit 375c88d

Please sign in to comment.
Something went wrong with that request. Please try again.