Ticket #10629: auth_redirect_ssl.diff

File auth_redirect_ssl.diff, 1.9 KB (added by Ryan Kelly, 16 years ago)
  • django/contrib/auth/views.py

     
     1import urlparse
     2
    13from django.conf import settings
    24from django.contrib.auth import REDIRECT_FIELD_NAME
    35from django.contrib.auth.decorators import login_required
     
    2022    if request.method == "POST":
    2123        form = AuthenticationForm(data=request.POST)
    2224        if form.is_valid():
    23             # Light security check -- make sure redirect_to isn't garbage.
    24             if not redirect_to or '//' in redirect_to or ' ' in redirect_to:
     25            if not redirect_to:
    2526                redirect_to = settings.LOGIN_REDIRECT_URL
     27            else:
     28                # Light security check -- make sure redirect_to
     29                # doesn't reference a third-party site.
     30                url = urlparse.urlparse(redirect_to)
     31                if url.netloc and url.netloc != request.get_host():
     32                    redirect_to = settings.LOGIN_REDIRECT_URL
    2633            from django.contrib.auth import login
    2734            login(request, form.get_user())
    2835            if request.session.test_cookie_worked():
  • django/contrib/auth/decorators.py

     
    6565    def __call__(self, request, *args, **kwargs):
    6666        if self.test_func(request.user):
    6767            return self.view_func(request, *args, **kwargs)
    68         path = urlquote(request.get_full_path())
    69         tup = self.login_url, self.redirect_field_name, path
     68        cur_url =  "%s://%s%s" % (request.is_secure() and "https" or "http",request.get_host(),request.get_full_path())
     69        tup = self.login_url, self.redirect_field_name, urlquote(cur_url)
    7070        return HttpResponseRedirect('%s?%s=%s' % tup)
Back to Top