Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

Fixed #12534 -- Loosened the the security check for "next" redirects …

…after logins slightly to allow paths that contain spaces. Thanks for the patch, jnns and aaugustin.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@15702 bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information...
commit ec193224d3580fbcfa78da96a6a7fc4343929dd8 1 parent be4a2e3
Jannis Leidel authored March 01, 2011
5  django/contrib/auth/tests/views.py
@@ -236,7 +236,9 @@ def test_security_check(self, password='password'):
236 236
                          '/view?param=ftp://exampel.com',
237 237
                          'view/?param=//example.com',
238 238
                          'https:///',
239  
-                         '//testserver/'):
  239
+                         '//testserver/',
  240
+                         '/url%20with%20spaces/', # see ticket #12534
  241
+                         ):
240 242
             safe_url = '%(url)s?%(next)s=%(good_url)s' % {
241 243
                 'url': login_url,
242 244
                 'next': REDIRECT_FIELD_NAME,
@@ -251,6 +253,7 @@ def test_security_check(self, password='password'):
251 253
             self.assertTrue(good_url in response['Location'],
252 254
                             "%s should be allowed" % good_url)
253 255
 
  256
+
254 257
 class LoginURLSettings(AuthViewsTestCase):
255 258
     urls = 'django.contrib.auth.tests.urls'
256 259
     
6  django/contrib/auth/views.py
@@ -34,11 +34,11 @@ def login(request, template_name='registration/login.html',
34 34
         if form.is_valid():
35 35
             netloc = urlparse.urlparse(redirect_to)[1]
36 36
 
37  
-            # Light security check -- make sure redirect_to isn't garbage.
38  
-            if not redirect_to or ' ' in redirect_to:
  37
+            # Use default setting if redirect_to is empty
  38
+            if not redirect_to:
39 39
                 redirect_to = settings.LOGIN_REDIRECT_URL
40 40
 
41  
-            # Heavier security check -- don't allow redirection to a different
  41
+            # Security check -- don't allow redirection to a different
42 42
             # host.
43 43
             elif netloc and netloc != request.get_host():
44 44
                 redirect_to = settings.LOGIN_REDIRECT_URL

0 notes on commit ec19322

Please sign in to comment.
Something went wrong with that request. Please try again.