Opened 3 years ago
Closed 3 years ago
#33648 closed Cleanup/optimization (fixed)
Unnecessary redirect in LogoutView when ?next=... contains "unsafe" URL
Reported by: | Aymeric Augustin | Owned by: | Aymeric Augustin |
---|---|---|---|
Component: | contrib.auth | Version: | 4.0 |
Severity: | Normal | Keywords: | |
Cc: | Triage Stage: | Accepted | |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
Reproduction instructions
- Set
LOGOUT_REDIRECT_URL
- Wire
LogoutView.as_view()
at/logout/
in the URLconf - Add this form to any template:
<form action="/logout/?next=http://evil/" method="POST"><input type="submit" value="Logout">{% csrf_token %}</form>
- Log in, then use the form to log out
Expected result
You are logged out; the next
parameter is ignored; you are redirected to LOGOUT_REDIRECT_URL
Actual result
There is an intermediary, useless redirect; see the logs of the development server:
[16/Apr/2022 19:05:38] "POST /logout/?next=http://evil/ HTTP/1.1" 302 0 [16/Apr/2022 19:05:38] "GET /logout/ HTTP/1.1" 302 0 [16/Apr/2022 19:05:38] "GET /en/ HTTP/1.1" 200 13918
I noticed this via code inspection. The implementation of LogoutView.get_next_page seemed a bit weird to me.
This stems from https://github.com/django/django/blame/e12670016bbcebcc0d89c2ac4a0121951181fbae/django/contrib/auth/views.py#L178 which predates the introduction of LOGOUT_REDIRECT_URL
.
From the user's perspective, the behavior is correct. There's just an extra round-trip and needlessly complicated code.
Change History (3)
comment:1 by , 3 years ago
Has patch: | set |
---|
comment:2 by , 3 years ago
Triage Stage: | Unreviewed → Accepted |
---|
comment:3 by , 3 years ago
Resolution: | → fixed |
---|---|
Status: | assigned → closed |
In 5591a725: