Fixed #33648 -- Prevented extra redirect in LogoutView on invalid next page when LOGOUT_REDIRECT_URL is set.

author: Aymeric Augustin <aymeric.augustin@m4x.org> 2022-04-18 16:33:10 +0200
committer: GitHub <noreply@github.com> 2022-04-18 16:33:10 +0200
commit: 5591a72571b8a07c5e3d87dcfe08310bb7611d15 (patch)
tree: 152065942c5e56eb44dcb66e6234e9e00449e478 /tests/auth_tests
parent: fe7cb345448822528ce0447141810c27f9e56cff (diff)
download: django-5591a72571b8a07c5e3d87dcfe08310bb7611d15.tar.gz
1 files changed, 6 insertions, 0 deletions
diff --git a/tests/auth_tests/test_views.py b/tests/auth_tests/test_views.py
index 622a40de22..dbff931753 100644
--- a/tests/auth_tests/test_views.py
+++ b/tests/auth_tests/test_views.py
@@ -1335,6 +1335,12 @@ class LogoutTest(AuthViewsTestCase):
         response = self.client.post("/logout/")
         self.assertRedirects(response, "/custom/", fetch_redirect_response=False)
 
+    @override_settings(LOGOUT_REDIRECT_URL="/custom/")
+    def test_logout_redirect_url_setting_allowed_hosts_unsafe_host(self):
+        self.login()
+        response = self.client.post("/logout/allowed_hosts/?next=https://evil/")
+        self.assertRedirects(response, "/custom/", fetch_redirect_response=False)
+
     @override_settings(LOGOUT_REDIRECT_URL="logout")
     def test_logout_redirect_url_named_setting(self):
         self.login()
author	Aymeric Augustin <aymeric.augustin@m4x.org>	2022-04-18 16:33:10 +0200
committer	GitHub <noreply@github.com>	2022-04-18 16:33:10 +0200
commit	5591a72571b8a07c5e3d87dcfe08310bb7611d15 (patch)
tree	152065942c5e56eb44dcb66e6234e9e00449e478 /tests/auth_tests
parent	fe7cb345448822528ce0447141810c27f9e56cff (diff)
download	django-5591a72571b8a07c5e3d87dcfe08310bb7611d15.tar.gz