avoid set_language redirect to different host
next = request.REQUEST.get('next', None)
if not next:
next = request.META.get('HTTP_REFERER', None)
HTTP_REFERER can be from different host, specially when using an external SSO Authentication provider.
Then redirecting causes an infinite loop.
Solution:
Like in django.contrib.auth.login:
next = request.REQUEST.get('next', None)
if not next:
next = request.META.get('HTTP_REFERER', None)
netloc = urlparse.urlparse(next)[1]
# don't allow redirection to a different
# host.
if netloc and netloc != request.get_host():
next = '/'
Change History
(11)
Owner: |
changed from nobody to Gunnar Scherf
|
Cc: |
Gunnar Scherf added
|
Owner: |
Gunnar Scherf removed
|
Owner: |
set to nobody
|
Summary: |
avois set_language redirect to different host → avoid set_language redirect to different host
|
Type: |
Uncategorized → Bug
|
Component: |
Uncategorized → Internationalization
|
Has patch: |
set
|
Triage Stage: |
Unreviewed → Accepted
|
Triage Stage: |
Accepted → Ready for checkin
|
Cc: |
Florian Apolloner added
|
Component: |
Internationalization → Uncategorized
|
Patch needs improvement: |
set
|
Severity: |
Normal → Release blocker
|
Triage Stage: |
Ready for checkin → Accepted
|
Version: |
1.4 → master
|
Resolution: |
→ fixed
|
Status: |
new → closed
|
Check REFERER before redirection