Fixed #33648 -- Prevented extra redirect in LogoutView on invalid next page when LOGOUT_REDIRECT_URL is set.

This commit is contained in:
Aymeric Augustin 2022-04-18 16:33:10 +02:00 committed by GitHub
parent fe7cb34544
commit 5591a72571
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 10 additions and 1 deletions

View File

@ -175,6 +175,9 @@ class LogoutView(SuccessURLAllowedHostsMixin, TemplateView):
# Security check -- Ensure the user-originating redirection URL is # Security check -- Ensure the user-originating redirection URL is
# safe. # safe.
if not url_is_safe: if not url_is_safe:
if settings.LOGOUT_REDIRECT_URL:
next_page = resolve_url(settings.LOGOUT_REDIRECT_URL)
else:
next_page = self.request.path next_page = self.request.path
return next_page return next_page

View File

@ -1335,6 +1335,12 @@ class LogoutTest(AuthViewsTestCase):
response = self.client.post("/logout/") response = self.client.post("/logout/")
self.assertRedirects(response, "/custom/", fetch_redirect_response=False) self.assertRedirects(response, "/custom/", fetch_redirect_response=False)
@override_settings(LOGOUT_REDIRECT_URL="/custom/")
def test_logout_redirect_url_setting_allowed_hosts_unsafe_host(self):
self.login()
response = self.client.post("/logout/allowed_hosts/?next=https://evil/")
self.assertRedirects(response, "/custom/", fetch_redirect_response=False)
@override_settings(LOGOUT_REDIRECT_URL="logout") @override_settings(LOGOUT_REDIRECT_URL="logout")
def test_logout_redirect_url_named_setting(self): def test_logout_redirect_url_named_setting(self):
self.login() self.login()