Fixed #5227 -- Made the redirect security check in django.contrib.auth.views.login() tighter. Thanks, Sander Dijkhuis
git-svn-id: http://code.djangoproject.com/svn/django/trunk@6004 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
Adrian Holovaty
parent
b3103feead
commit
375c88d2bc
1
AUTHORS
1
AUTHORS
|
|
@ -94,6 +94,7 @@ answer newbie questions, and generally made Django that much better:
|
||||||
Alex Dedul
|
Alex Dedul
|
||||||
deric@monowerks.com
|
deric@monowerks.com
|
||||||
Max Derkachev <mderk@yandex.ru>
|
Max Derkachev <mderk@yandex.ru>
|
||||||
|
Sander Dijkhuis <sander.dijkhuis@gmail.com>
|
||||||
Jordan Dimov <s3x3y1@gmail.com>
|
Jordan Dimov <s3x3y1@gmail.com>
|
||||||
dne@mayonnaise.net
|
dne@mayonnaise.net
|
||||||
Maximillian Dornseif <md@hudora.de>
|
Maximillian Dornseif <md@hudora.de>
|
||||||
|
|
|
||||||
|
|
@ -17,7 +17,7 @@ def login(request, template_name='registration/login.html'):
|
||||||
errors = manipulator.get_validation_errors(request.POST)
|
errors = manipulator.get_validation_errors(request.POST)
|
||||||
if not errors:
|
if not errors:
|
||||||
# Light security check -- make sure redirect_to isn't garbage.
|
# Light security check -- make sure redirect_to isn't garbage.
|
||||||
if not redirect_to or '://' in redirect_to or ' ' in redirect_to:
|
if not redirect_to or '//' in redirect_to or ' ' in redirect_to:
|
||||||
from django.conf import settings
|
from django.conf import settings
|
||||||
redirect_to = settings.LOGIN_REDIRECT_URL
|
redirect_to = settings.LOGIN_REDIRECT_URL
|
||||||
from django.contrib.auth import login
|
from django.contrib.auth import login
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue