diff options
author | Aymeric Augustin <aymeric.augustin@m4x.org> | 2022-04-18 16:33:10 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-04-18 16:33:10 +0200 |
commit | 5591a72571b8a07c5e3d87dcfe08310bb7611d15 (patch) | |
tree | 152065942c5e56eb44dcb66e6234e9e00449e478 /tests/auth_tests | |
parent | fe7cb345448822528ce0447141810c27f9e56cff (diff) | |
download | django-5591a72571b8a07c5e3d87dcfe08310bb7611d15.tar.gz |
Fixed #33648 -- Prevented extra redirect in LogoutView on invalid next page when LOGOUT_REDIRECT_URL is set.
Diffstat (limited to 'tests/auth_tests')
-rw-r--r-- | tests/auth_tests/test_views.py | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/tests/auth_tests/test_views.py b/tests/auth_tests/test_views.py index 622a40de22..dbff931753 100644 --- a/tests/auth_tests/test_views.py +++ b/tests/auth_tests/test_views.py @@ -1335,6 +1335,12 @@ class LogoutTest(AuthViewsTestCase): response = self.client.post("/logout/") self.assertRedirects(response, "/custom/", fetch_redirect_response=False) + @override_settings(LOGOUT_REDIRECT_URL="/custom/") + def test_logout_redirect_url_setting_allowed_hosts_unsafe_host(self): + self.login() + response = self.client.post("/logout/allowed_hosts/?next=https://evil/") + self.assertRedirects(response, "/custom/", fetch_redirect_response=False) + @override_settings(LOGOUT_REDIRECT_URL="logout") def test_logout_redirect_url_named_setting(self): self.login() |