Refs #26902 -- Protected against insecure redirects in Login/LogoutView.

2025-10-24 06:06:09 +00:00 · 2016-08-19 13:40:21 +02:00
parent 5e5a17028f
commit 549b90fab3
3 changed files with 51 additions and 2 deletions
--- a/tests/auth_tests/test_views.py
+++ b/tests/auth_tests/test_views.py
@@ -551,6 +551,23 @@ class LoginTest(AuthViewsTestCase):
            self.assertEqual(response.status_code, 302)
            self.assertIn(good_url, response.url, "%s should be allowed" % good_url)

+    def test_security_check_https(self):
+        login_url = reverse('login')
+        non_https_next_url = 'http://testserver/path'
+        not_secured_url = '%(url)s?%(next)s=%(next_url)s' % {
+            'url': login_url,
+            'next': REDIRECT_FIELD_NAME,
+            'next_url': urlquote(non_https_next_url),
+        }
+        post_data = {
+            'username': 'testclient',
+            'password': 'password',
+        }
+        response = self.client.post(not_secured_url, post_data, secure=True)
+        self.assertEqual(response.status_code, 302)
+        self.assertNotEqual(response.url, non_https_next_url)
+        self.assertEqual(response.url, settings.LOGIN_REDIRECT_URL)
+
    def test_login_form_contains_request(self):
        # 15198
        self.client.post('/custom_requestauth_login/', {
@@ -919,6 +936,21 @@ class LogoutTest(AuthViewsTestCase):
            self.assertIn(good_url, response.url, "%s should be allowed" % good_url)
            self.confirm_logged_out()

+    def test_security_check_https(self):
+        logout_url = reverse('logout')
+        non_https_next_url = 'http://testserver/'
+        url = '%(url)s?%(next)s=%(next_url)s' % {
+            'url': logout_url,
+            'next': REDIRECT_FIELD_NAME,
+            'next_url': urlquote(non_https_next_url),
+        }
+        self.login()
+        response = self.client.get(url, secure=True)
+        self.assertEqual(response.status_code, 302)
+        self.assertNotEqual(response.url, non_https_next_url)
+        self.assertEqual(response.url, logout_url)
+        self.confirm_logged_out()
+
    def test_logout_preserve_language(self):
        """Check that language stored in session is preserved after logout"""
        # Create a new session with language