test0908
/
django
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Refs #26902 -- Protected against insecure redirects in set_language().

This commit is contained in:
Przemysław Suliga 2016-08-19 14:32:21 +02:00 committed by Tim Graham
parent 549b90fab3
commit 1f68bb5683
3 changed files with 25 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
django/views/i18n.py
View File

@ -37,11 +37,12 @@ def set_language(request):
any state. any state.
""" """
next = request.POST.get('next', request.GET.get('next')) next = request.POST.get('next', request.GET.get('next'))
if (next or not request.is_ajax()) and not is_safe_url(url=next, host=request.get_host()): if ((next or not request.is_ajax()) and
not is_safe_url(url=next, host=request.get_host(), require_https=request.is_secure())):
next = request.META.get('HTTP_REFERER') next = request.META.get('HTTP_REFERER')
if next: if next:
next = urlunquote(next) # HTTP_REFERER may be encoded. next = urlunquote(next) # HTTP_REFERER may be encoded.
if not is_safe_url(url=next, host=request.get_host()): if not is_safe_url(url=next, host=request.get_host(), require_https=request.is_secure()):
next = '/' next = '/'
response = http.HttpResponseRedirect(next) if next else http.HttpResponse(status=204) response = http.HttpResponseRedirect(next) if next else http.HttpResponse(status=204)
if request.method == 'POST': if request.method == 'POST':

10
docs/releases/1.11.txt
View File

@ -356,12 +356,12 @@ to assign a free port. The ``DJANGO_LIVE_TEST_SERVER_ADDRESS`` environment
variable is no longer used, and as it's also no longer used, the variable is no longer used, and as it's also no longer used, the
``manage.py test --liveserver`` option is removed. ``manage.py test --liveserver`` option is removed.
Protection against insecure redirects in :mod:`django.contrib.auth` views Protection against insecure redirects in :mod:`django.contrib.auth` and ``i18n`` views
------------------------------------------------------------------------- --------------------------------------------------------------------------------------
``LoginView`` and ``LogoutView`` (and the deprecated function-based equivalents) ``LoginView``, ``LogoutView`` (and the deprecated function-based equivalents),
protect users from being redirected to non-HTTPS ``next`` URLs when the app and :func:`~django.views.i18n.set_language` protect users from being redirected
is running over HTTPS. to non-HTTPS ``next`` URLs when the app is running over HTTPS.
Miscellaneous Miscellaneous
------------- -------------

17
tests/view_tests/tests/test_i18n.py
View File

@ -54,6 +54,23 @@ class I18NTests(TestCase):
self.assertEqual(response.url, '/') self.assertEqual(response.url, '/')
self.assertEqual(self.client.session[LANGUAGE_SESSION_KEY], lang_code) self.assertEqual(self.client.session[LANGUAGE_SESSION_KEY], lang_code)
def test_setlang_http_next(self):
"""
The set_language view only redirects to the 'next' argument if it is
"safe" and its scheme is https if the request was sent over https.
"""
lang_code = self._get_inactive_language_code()
non_https_next_url = 'http://testserver/redirection/'
post_data = dict(language=lang_code, next=non_https_next_url)
# Insecure URL in POST data.
response = self.client.post('/i18n/setlang/', data=post_data, secure=True)
self.assertEqual(response.url, '/')
self.assertEqual(self.client.session[LANGUAGE_SESSION_KEY], lang_code)
# Insecure URL in HTTP referer.
response = self.client.post('/i18n/setlang/', secure=True, HTTP_REFERER=non_https_next_url)
self.assertEqual(response.url, '/')
self.assertEqual(self.client.session[LANGUAGE_SESSION_KEY], lang_code)
def test_setlang_redirect_to_referer(self): def test_setlang_redirect_to_referer(self):
""" """
The set_language view redirects to the URL in the referer header when The set_language view redirects to the URL in the referer header when