#18856: avois set_language redirect to different host
-------------------------+-------------------------------------------------
Reporter: Gunnar | Owner: nobody
Type: | Status: new
Uncategorized | Version: 1.4
Component: | Keywords: set_language redirect infinite loop
Uncategorized | Has patch: 0
Severity: Normal | UI/UX: 0
Triage Stage: |
Unreviewed |
Easy pickings: 0 |
-------------------------+-------------------------------------------------
{{{
next = request.REQUEST.get('next', None)
if not next:
next = request.META.get('HTTP_REFERER', None)
}}}
HTTP_REFERER can be from different host, specially when using an external
SSO Authentication provider.
Then redirecting causes an infinite loop.
Solution:
Like in django.contrib.auth.login:
{{{
next = request.REQUEST.get('next', None)
if not next:
next = request.META.get('HTTP_REFERER', None)
netloc = urlparse.urlparse(next)[1]
# don't allow redirection to a different
# host.
if netloc and netloc != request.get_host():
next = '/'
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/18856>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit https://groups.google.com/groups/opt_out.
