Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Fixed #12534 -- Loosened the the security check for "next" redirects …

…after logins slightly to allow paths that contain spaces. Thanks for the patch, jnns and aaugustin.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@15702 bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information...
commit ec193224d3580fbcfa78da96a6a7fc4343929dd8 1 parent be4a2e3
@jezdez jezdez authored
View
5 django/contrib/auth/tests/views.py
@@ -236,7 +236,9 @@ def test_security_check(self, password='password'):
'/view?param=ftp://exampel.com',
'view/?param=//example.com',
'https:///',
- '//testserver/'):
+ '//testserver/',
+ '/url%20with%20spaces/', # see ticket #12534
+ ):
safe_url = '%(url)s?%(next)s=%(good_url)s' % {
'url': login_url,
'next': REDIRECT_FIELD_NAME,
@@ -251,6 +253,7 @@ def test_security_check(self, password='password'):
self.assertTrue(good_url in response['Location'],
"%s should be allowed" % good_url)
+
class LoginURLSettings(AuthViewsTestCase):
urls = 'django.contrib.auth.tests.urls'
View
6 django/contrib/auth/views.py
@@ -34,11 +34,11 @@ def login(request, template_name='registration/login.html',
if form.is_valid():
netloc = urlparse.urlparse(redirect_to)[1]
- # Light security check -- make sure redirect_to isn't garbage.
- if not redirect_to or ' ' in redirect_to:
+ # Use default setting if redirect_to is empty
+ if not redirect_to:
redirect_to = settings.LOGIN_REDIRECT_URL
- # Heavier security check -- don't allow redirection to a different
+ # Security check -- don't allow redirection to a different
# host.
elif netloc and netloc != request.get_host():
redirect_to = settings.LOGIN_REDIRECT_URL
Please sign in to comment.
Something went wrong with that request. Please try again.