mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-11-07 07:15:35 +00:00
Code Issues 32 Releases Wiki Activity

Refs #26902 -- Protected against insecure redirects in set_language().

Browse Source
This commit is contained in:
Przemysław Suliga
2016-08-19 14:32:21 +02:00
committed by Tim Graham
parent 549b90fab3
commit 1f68bb5683
3 changed files with 25 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
tests/view_tests/tests/test_i18n.py
View File

@@ -54,6 +54,23 @@ class I18NTests(TestCase):
self.assertEqual(response.url, '/')
self.assertEqual(self.client.session[LANGUAGE_SESSION_KEY], lang_code)
def test_setlang_http_next(self):
"""
The set_language view only redirects to the 'next' argument if it is
"safe" and its scheme is https if the request was sent over https.
"""
lang_code = self._get_inactive_language_code()
non_https_next_url = 'http://testserver/redirection/'
post_data = dict(language=lang_code, next=non_https_next_url)
# Insecure URL in POST data.
response = self.client.post('/i18n/setlang/', data=post_data, secure=True)
self.assertEqual(response.url, '/')
self.assertEqual(self.client.session[LANGUAGE_SESSION_KEY], lang_code)
# Insecure URL in HTTP referer.
response = self.client.post('/i18n/setlang/', secure=True, HTTP_REFERER=non_https_next_url)
self.assertEqual(response.url, '/')
self.assertEqual(self.client.session[LANGUAGE_SESSION_KEY], lang_code)
def test_setlang_redirect_to_referer(self):
"""
The set_language view redirects to the URL in the referer header when