Ticket #12534: 12534_with_test.diff

File 12534_with_test.diff, 1.8 KB (added by Aymeric Augustin, 14 years ago)

  • django/contrib/auth/views.py

     
    3434        if form.is_valid():
    3535            netloc = urlparse.urlparse(redirect_to)[1]
    3636
    37             # Light security check -- make sure redirect_to isn't garbage.
    38             if not redirect_to or ' ' in redirect_to:
     37            # Use default setting if redirect_to is empty
     38            if not redirect_to:
    3939                redirect_to = settings.LOGIN_REDIRECT_URL
    4040
    41             # Heavier security check -- don't allow redirection to a different
     41            # Security check -- don't allow redirection to a different
    4242            # host.
    4343            elif netloc and netloc != request.get_host():
    4444                redirect_to = settings.LOGIN_REDIRECT_URL

  • django/contrib/auth/tests/views.py

     
    236236                         '/view?param=ftp://exampel.com',
    237237                         'view/?param=//example.com',
    238238                         'https:///',
    239                          '//testserver/'):
     239                         '//testserver/',
     240                         '/url%20with%20spaces/', # see ticket #12534
     241                         ):
    240242            safe_url = '%(url)s?%(next)s=%(good_url)s' % {
    241243                'url': login_url,
    242244                'next': REDIRECT_FIELD_NAME,
     
    251253            self.assertTrue(good_url in response['Location'],
    252254                            "%s should be allowed" % good_url)
    253255
     256
    254257class LoginURLSettings(AuthViewsTestCase):
    255258    urls = 'django.contrib.auth.tests.urls'
    256259   
Back to Top