Ticket #14405: patch-14405.diff
| File patch-14405.diff, 2.1 KB (added by , 14 years ago) |
|---|
-
views.py
26 26 """Displays the login form and handles the login action.""" 27 27 28 28 redirect_to = request.REQUEST.get(redirect_field_name, '') 29 30 # Light security check -- make sure redirect_to isn't garbage. 31 if not redirect_to or ' ' in redirect_to: 32 redirect_to = settings.LOGIN_REDIRECT_URL 33 34 # Heavier security check -- redirects to http://example.com should 35 # not be allowed, but things like /view/?param=http://example.com 36 # should be allowed. This regex checks if there is a '//' *before* a 37 # question mark. 38 elif '//' in redirect_to and re.match(r'[^\?]*//', redirect_to): 39 redirect_to = settings.LOGIN_REDIRECT_URL 29 40 41 # Okay, security checks complete. 30 42 if request.method == "POST": 31 43 form = authentication_form(data=request.POST) 32 44 if form.is_valid(): 33 # Light security check -- make sure redirect_to isn't garbage.34 if not redirect_to or ' ' in redirect_to:35 redirect_to = settings.LOGIN_REDIRECT_URL36 45 37 # Heavier security check -- redirects to http://example.com should 38 # not be allowed, but things like /view/?param=http://example.com 39 # should be allowed. This regex checks if there is a '//' *before* a 40 # question mark. 41 elif '//' in redirect_to and re.match(r'[^\?]*//', redirect_to): 42 redirect_to = settings.LOGIN_REDIRECT_URL 43 44 # Okay, security checks complete. Log the user in. 46 # Log the user in. 45 47 auth_login(request, form.get_user()) 46 48 47 49 if request.session.test_cookie_worked(): … … 50 52 return HttpResponseRedirect(redirect_to) 51 53 52 54 else: 55 if request.user.is_authenticated(): # they are already logged in 56 return HttpResponseRedirect(redirect_to) 53 57 form = authentication_form(request) 54 58 55 59 request.session.set_test_cookie()