id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
33648	"Unnecessary redirect in LogoutView when ?next=... contains ""unsafe"" URL"	Aymeric Augustin	Aymeric Augustin	"**Reproduction instructions**

* Set `LOGOUT_REDIRECT_URL`
* Wire `LogoutView.as_view()` at `/logout/` in the URLconf
* Add this form to any template: `<form action=""/logout/?next=http://evil/"" method=""POST""><input type=""submit"" value=""Logout"">{% csrf_token %}</form>`
* Log in, then use the form to log out

**Expected result**

You are logged out; the `next` parameter is ignored; you are redirected to `LOGOUT_REDIRECT_URL`

**Actual result**

There is an intermediary, useless redirect; see the logs of the development server:

{{{
[16/Apr/2022 19:05:38] ""POST /logout/?next=http://evil/ HTTP/1.1"" 302 0
[16/Apr/2022 19:05:38] ""GET /logout/ HTTP/1.1"" 302 0
[16/Apr/2022 19:05:38] ""GET /en/ HTTP/1.1"" 200 13918
}}}

I noticed this via code inspection. The implementation of LogoutView.get_next_page seemed a bit weird to me.

This stems from https://github.com/django/django/blame/e12670016bbcebcc0d89c2ac4a0121951181fbae/django/contrib/auth/views.py#L178 which predates the introduction of `LOGOUT_REDIRECT_URL`.

From the user's perspective, the behavior is correct. There's just an extra round-trip and needlessly complicated code."	Cleanup/optimization	closed	contrib.auth	4.0	Normal	fixed			Accepted	1	0	0	0	0	0