Opened 3 years ago

Closed 3 years ago

#33648 closed Cleanup/optimization (fixed)

Unnecessary redirect in LogoutView when ?next=... contains "unsafe" URL

Reported by: Aymeric Augustin Owned by: Aymeric Augustin
Component: contrib.auth Version: 4.0
Severity: Normal Keywords:
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Reproduction instructions

  • Set LOGOUT_REDIRECT_URL
  • Wire LogoutView.as_view() at /logout/ in the URLconf
  • Add this form to any template: <form action="/logout/?next=http://evil/" method="POST"><input type="submit" value="Logout">{% csrf_token %}</form>
  • Log in, then use the form to log out

Expected result

You are logged out; the next parameter is ignored; you are redirected to LOGOUT_REDIRECT_URL

Actual result

There is an intermediary, useless redirect; see the logs of the development server:

[16/Apr/2022 19:05:38] "POST /logout/?next=http://evil/ HTTP/1.1" 302 0
[16/Apr/2022 19:05:38] "GET /logout/ HTTP/1.1" 302 0
[16/Apr/2022 19:05:38] "GET /en/ HTTP/1.1" 200 13918

I noticed this via code inspection. The implementation of LogoutView.get_next_page seemed a bit weird to me.

This stems from https://github.com/django/django/blame/e12670016bbcebcc0d89c2ac4a0121951181fbae/django/contrib/auth/views.py#L178 which predates the introduction of LOGOUT_REDIRECT_URL.

From the user's perspective, the behavior is correct. There's just an extra round-trip and needlessly complicated code.

Change History (3)

comment:1 by Aymeric Augustin, 3 years ago

Has patch: set

comment:2 by Mariusz Felisiak, 3 years ago

Triage Stage: UnreviewedAccepted

comment:3 by GitHub <noreply@…>, 3 years ago

Resolution: fixed
Status: assignedclosed

In 5591a725:

Fixed #33648 -- Prevented extra redirect in LogoutView on invalid next page when LOGOUT_REDIRECT_URL is set.

Note: See TracTickets for help on using tickets.
Back to Top