Django

Code

Ticket #5227 (closed: fixed)

Opened 1 year ago

Last modified 1 year ago

Redirect security check in login code is incomplete

Reported by: Sander Dijkhuis <sander.dijkhuis@gmail.com Assigned to: adrian
Milestone: Component: Contrib apps
Version: SVN Keywords: auth
Cc: sander.dijkhuis@gmail.com Triage Stage: Unreviewed
Has patch: 0 Needs documentation:
Needs tests: Patch needs improvement:

Description

The security check for the value of redirect_to in django.contrib.auth.views.login is incomplete. It's meant to block incorrect URLs and external locations, but it will still redirect to external sites if the URL doesn't include the protocol name. This is because '//' isn't blocked. So currently, /accounts/login/?next=//example.com/ will redirect the user to http://example.com/ after a successful authentication. This can be considered a small security problem.

It can be fixed by modifying line 20: 

            if not redirect_to or '://' in redirect_to or ' ' in redirect_to:

should be: 

            if not redirect_to or '//' in redirect_to or ' ' in redirect_to:

Attachments

Change History

08/25/07 13:34:28 changed by adrian

  • status changed from new to closed.
  • resolution set to fixed.

(In [6004]) Fixed #5227 -- Made the redirect security check in django.contrib.auth.views.login() tighter. Thanks, Sander Dijkhuis

Add/Change #5227 (Redirect security check in login code is incomplete)




Change Properties
Action