From 5591a72571b8a07c5e3d87dcfe08310bb7611d15 Mon Sep 17 00:00:00 2001 From: Aymeric Augustin Date: Mon, 18 Apr 2022 16:33:10 +0200 Subject: [PATCH] Fixed #33648 -- Prevented extra redirect in LogoutView on invalid next page when LOGOUT_REDIRECT_URL is set. --- django/contrib/auth/views.py | 5 ++++- tests/auth_tests/test_views.py | 6 ++++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/django/contrib/auth/views.py b/django/contrib/auth/views.py index f86debde00..5de3989ffc 100644 --- a/django/contrib/auth/views.py +++ b/django/contrib/auth/views.py @@ -175,7 +175,10 @@ class LogoutView(SuccessURLAllowedHostsMixin, TemplateView): # Security check -- Ensure the user-originating redirection URL is # safe. if not url_is_safe: - next_page = self.request.path + if settings.LOGOUT_REDIRECT_URL: + next_page = resolve_url(settings.LOGOUT_REDIRECT_URL) + else: + next_page = self.request.path return next_page def get_context_data(self, **kwargs): diff --git a/tests/auth_tests/test_views.py b/tests/auth_tests/test_views.py index 622a40de22..dbff931753 100644 --- a/tests/auth_tests/test_views.py +++ b/tests/auth_tests/test_views.py @@ -1335,6 +1335,12 @@ class LogoutTest(AuthViewsTestCase): response = self.client.post("/logout/") self.assertRedirects(response, "/custom/", fetch_redirect_response=False) + @override_settings(LOGOUT_REDIRECT_URL="/custom/") + def test_logout_redirect_url_setting_allowed_hosts_unsafe_host(self): + self.login() + response = self.client.post("/logout/allowed_hosts/?next=https://evil/") + self.assertRedirects(response, "/custom/", fetch_redirect_response=False) + @override_settings(LOGOUT_REDIRECT_URL="logout") def test_logout_redirect_url_named_setting(self): self.login()