Ticket #10629: auth_redirect_ssl.diff

django/contrib/auth/views.py

@@ +1 @@
+import urlparse
+
 from django.conf import settings
 from django.contrib.auth import REDIRECT_FIELD_NAME
 from django.contrib.auth.decorators import login_required
@@ -20 +22 @@
     if request.method == "POST":
         form = AuthenticationForm(data=request.POST)
         if form.is_valid():
-            # Light security check -- make sure redirect_to isn't garbage.
-            if not redirect_to or '//' in redirect_to or ' ' in redirect_to:
+            if not redirect_to:
                 redirect_to = settings.LOGIN_REDIRECT_URL
+            else:
+                # Light security check -- make sure redirect_to
+                # doesn't reference a third-party site.
+                url = urlparse.urlparse(redirect_to)
+                if url.netloc and url.netloc != request.get_host():
+                    redirect_to = settings.LOGIN_REDIRECT_URL
             from django.contrib.auth import login
             login(request, form.get_user())
             if request.session.test_cookie_worked():

django/contrib/auth/decorators.py

@@ -65 +65 @@
     def __call__(self, request, *args, **kwargs):
         if self.test_func(request.user):
             return self.view_func(request, *args, **kwargs)
-        path = urlquote(request.get_full_path())
-        tup = self.login_url, self.redirect_field_name, path
+        cur_url =  "%s://%s%s" % (request.is_secure() and "https" or "http",request.get_host(),request.get_full_path())
+        tup = self.login_url, self.redirect_field_name, urlquote(cur_url)
         return HttpResponseRedirect('%s?%s=%s' % tup)