Ticket #18856: 18856-1.diff

django/views/i18n.py

@@ -1 +1 @@
 import os
+import re
 import gettext as gettext_module
 
 from django import http
@@ -24 +25 @@
     next = request.REQUEST.get('next', None)
     if not next:
         next = request.META.get('HTTP_REFERER', None)
+        if next and not re.match("^https?://%s/" % re.escape(request.get_host()), next):
+            next = None
     if not next:
         next = '/'
     response = http.HttpResponseRedirect(next)

tests/regressiontests/views/tests/i18n.py

@@ -25 +25 @@
             self.assertRedirects(response, 'http://testserver/views/')
             self.assertEqual(self.client.session['django_language'], lang_code)
 
+    def test_setlang_nonext(self):
+        """Test setlang redirection when next variable is not set"""
+        response = self.client.post('/views/i18n/setlang/', {'language': 'fr'})
+        self.assertRedirects(response, 'http://testserver/')
+
+        response = self.client.post('/views/i18n/setlang/', {'language': 'fr'},
+            HTTP_REFERER='http://testserver/views/')
+        self.assertRedirects(response, 'http://testserver/views/')
+
+        response = self.client.post('/views/i18n/setlang/', {'language': 'fr'},
+            HTTP_REFERER='https://www.evil.org/')
+        self.assertRedirects(response, 'http://testserver/')
+
     def test_setlang_reversal(self):
         self.assertEqual(reverse('set_language'), '/views/i18n/setlang/')
 

tests/urls.py

@@ -1 +1 @@
 from django.conf.urls import patterns, include
 
 urlpatterns = patterns('',
+    (r'^$', 'regressiontests.views.views.index_page'),
+
     # test_client modeltest urls
     (r'^test_client/', include('modeltests.test_client.urls')),
     (r'^test_client_regress/', include('regressiontests.test_client_regress.urls')),