Opened 3 years ago
Closed 3 years ago
#33648 closed Cleanup/optimization (fixed)
Unnecessary redirect in LogoutView when ?next=... contains "unsafe" URL
| Reported by: | Aymeric Augustin | Owned by: | Aymeric Augustin |
|---|---|---|---|
| Component: | contrib.auth | Version: | 4.0 |
| Severity: | Normal | Keywords: | |
| Cc: | Triage Stage: | Accepted | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
Reproduction instructions
- Set
LOGOUT_REDIRECT_URL - Wire
LogoutView.as_view()at/logout/in the URLconf - Add this form to any template:
<form action="/logout/?next=http://evil/" method="POST"><input type="submit" value="Logout">{% csrf_token %}</form> - Log in, then use the form to log out
Expected result
You are logged out; the next parameter is ignored; you are redirected to LOGOUT_REDIRECT_URL
Actual result
There is an intermediary, useless redirect; see the logs of the development server:
[16/Apr/2022 19:05:38] "POST /logout/?next=http://evil/ HTTP/1.1" 302 0 [16/Apr/2022 19:05:38] "GET /logout/ HTTP/1.1" 302 0 [16/Apr/2022 19:05:38] "GET /en/ HTTP/1.1" 200 13918
I noticed this via code inspection. The implementation of LogoutView.get_next_page seemed a bit weird to me.
This stems from https://github.com/django/django/blame/e12670016bbcebcc0d89c2ac4a0121951181fbae/django/contrib/auth/views.py#L178 which predates the introduction of LOGOUT_REDIRECT_URL.
From the user's perspective, the behavior is correct. There's just an extra round-trip and needlessly complicated code.
Change History (3)
comment:1 by , 3 years ago
| Has patch: | set |
|---|
comment:2 by , 3 years ago
| Triage Stage: | Unreviewed → Accepted |
|---|
comment:3 by , 3 years ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
Note:
See TracTickets
for help on using tickets.
In 5591a725: