This preserves the behavior of redirecting to the logout URL without
query string parameters when an insecure ?next=... parameter is given.
It changes the behavior of a POST to the logout URL, as shown by the
test that is changed. Currently, this results in a GET to the logout
URL. However, such GET requests are deprecated. This change would be
necessary in Django 5.0 anyway. This commit merely anticipates it.
This might change the behavior when self.next_page == "". However,
resolve_url(self.next_page) would almost certainly fail in that case.
It is technically possible to define a logout URLpattern whose name is
"": path('logout/', LogoutView.as_view(), name=''), and then to refer to
this pattern with next_page = "". However this feels like a pathological
case, so we decided not to handle it.
Most checks on next_page, LOGIN_REDIRECT_URL, and LOGOUT_REDIRECT_URL
are performed with boolean evaluation rather than comparison with None.
That's why we standardizing that way.
This aligns it with LoginView. Also, it removes confusion with the
get_next_page() method of paginators. get_next_page() was a private
API, therefore this refactoring is allowed.
This also renames SuccessURLAllowedHostsMixin to RedirectURLMixin.
This doesn't change the behavior of LogoutView.get_next_page() because
next_page == "" implies url_is_safe == False before the refactoring.
The default argument is unnecessary because
url_has_allowed_host_and_scheme() returns False when its first argument
is "" or None, so get_redirect_url() still returns "".
This also aligns LoginView.get_redirect_url() and LogoutView.get_next_page().
In these cases Black produces unexpected results, e.g.
def make_random_password(
self,
length=10,
allowed_chars='abcdefghjkmnpqrstuvwxyz' 'ABCDEFGHJKLMNPQRSTUVWXYZ' '23456789',
):
or
cursor.execute("""
SELECT ...
""",
[table name],
)
md5 is not an approved algorithm in FIPS mode, and trying to instantiate
a hashlib.md5() will fail when the system is running in FIPS mode.
md5 is allowed when in a non-security context. There is a plan to add a
keyword parameter (usedforsecurity) to hashlib.md5() to annotate whether
or not the instance is being used in a security context.
In the case where it is not, the instantiation of md5 will be allowed.
See https://bugs.python.org/issue9216 for more details.
Some downstream python versions already support this parameter. To
support these versions, a new encapsulation of md5() has been added.
This encapsulation will pass through the usedforsecurity parameter in
the case where the parameter is supported, and strip it if it is not.
Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com>
Django apps initialization to run management command triggers the admin
autodiscovery. Importing django.contrib.auth.tokens creates an instance
of PasswordResetTokenGenerator which required a SECRET_KEY.
For several management commands, the token generator is unused. It
should only complain about a missing SECRET_KEY when it is used.
Mariusz Felisiak
Claude Paroz
Tim Graham
Marcelo Galigniana
Ciaran McCormick
Aymeric Augustin
Carlton Gibson
Lucidiot
René Fleschenberg
Adrian Torres
django-bot
tschilling
Florian Apolloner
Adam Johnson
Lie Ryan
Ade Lee
Christophe Henry
Mateo Radman
Premkumar Chalmeti
David Smith
ryowright
abhiabhi94
David Sanders
David Wobrock
François Freitag