Refs #26902 -- Protected against insecure redirects in set_language().

2016-08-19 14:32:21 +02:00 · 2016-08-19 14:32:21 +02:00 · 1f68bb5683
parent 549b90fab3
commit 1f68bb5683
3 changed files with 25 additions and 7 deletions
--- a/django/views/i18n.py
+++ b/django/views/i18n.py
@ -37,11 +37,12 @@ def set_language(request):
    any state.
    """
    next = request.POST.get('next', request.GET.get('next'))
-    if (next or not request.is_ajax()) and not is_safe_url(url=next, host=request.get_host()):
+    if ((next or not request.is_ajax()) and
+            not is_safe_url(url=next, host=request.get_host(), require_https=request.is_secure())):
        next = request.META.get('HTTP_REFERER')
        if next:
            next = urlunquote(next)  # HTTP_REFERER may be encoded.
-        if not is_safe_url(url=next, host=request.get_host()):
+        if not is_safe_url(url=next, host=request.get_host(), require_https=request.is_secure()):
            next = '/'
    response = http.HttpResponseRedirect(next) if next else http.HttpResponse(status=204)
    if request.method == 'POST':
--- a/docs/releases/1.11.txt
+++ b/docs/releases/1.11.txt
@ -356,12 +356,12 @@ to assign a free port. The ``DJANGO_LIVE_TEST_SERVER_ADDRESS`` environment
 variable is no longer used, and as it's also no longer used, the
 ``manage.py test --liveserver`` option is removed.

-Protection against insecure redirects in :mod:`django.contrib.auth` views
-------------------------------------------------------------------------
+Protection against insecure redirects in :mod:`django.contrib.auth` and ``i18n`` views
+--------------------------------------------------------------------------------------

-``LoginView`` and ``LogoutView`` (and the deprecated function-based equivalents)
-protect users from being redirected to non-HTTPS ``next`` URLs when the app
-is running over HTTPS.
+``LoginView``, ``LogoutView`` (and the deprecated function-based equivalents),
+and :func:`~django.views.i18n.set_language` protect users from being redirected
+to non-HTTPS ``next`` URLs when the app is running over HTTPS.

 Miscellaneous
 -------------
--- a/tests/view_tests/tests/test_i18n.py
+++ b/tests/view_tests/tests/test_i18n.py
@ -54,6 +54,23 @@ class I18NTests(TestCase):
        self.assertEqual(response.url, '/')
        self.assertEqual(self.client.session[LANGUAGE_SESSION_KEY], lang_code)

+    def test_setlang_http_next(self):
+        """
+        The set_language view only redirects to the 'next' argument if it is
+        "safe" and its scheme is https if the request was sent over https.
+        """
+        lang_code = self._get_inactive_language_code()
+        non_https_next_url = 'http://testserver/redirection/'
+        post_data = dict(language=lang_code, next=non_https_next_url)
+        # Insecure URL in POST data.
+        response = self.client.post('/i18n/setlang/', data=post_data, secure=True)
+        self.assertEqual(response.url, '/')
+        self.assertEqual(self.client.session[LANGUAGE_SESSION_KEY], lang_code)
+        # Insecure URL in HTTP referer.
+        response = self.client.post('/i18n/setlang/', secure=True, HTTP_REFERER=non_https_next_url)
+        self.assertEqual(response.url, '/')
+        self.assertEqual(self.client.session[LANGUAGE_SESSION_KEY], lang_code)
+
    def test_setlang_redirect_to_referer(self):
        """
        The set_language view redirects to the URL in the referer header when