[Django] #33648: Unnecessary redirect in LogoutView when ?next=... contains "unsafe" URL

Sat, 16 Apr 2022 10:17:00 -0700 

#33648: Unnecessary redirect in LogoutView when ?next=... contains "unsafe" URL
-------------------------------------+-------------------------------------
               Reporter:  Aymeric    |          Owner:  Aymeric Augustin
  Augustin                           |
                   Type:             |         Status:  assigned
  Cleanup/optimization               |
              Component:             |        Version:  4.0
  contrib.auth                       |
               Severity:  Normal     |       Keywords:
           Triage Stage:             |      Has patch:  0
  Unreviewed                         |
    Needs documentation:  0          |    Needs tests:  0
Patch needs improvement:  0          |  Easy pickings:  0
                  UI/UX:  0          |
-------------------------------------+-------------------------------------
 **Reproduction instructions**

 * Set `LOGOUT_REDIRECT_URL`
 * Wire `LogoutView.as_view()` at `/logout/` in the URLconf
 * Add this form to any template: `<form
 action="/logout/?next=http://evil/"; method="POST"><input type="submit"
 value="Logout">{% csrf_token %}</form>`
 * Log in, then use the form to log out

 **Expected result**

 You are logged out; the `next` parameter is ignored; you are redirected to
 `LOGOUT_REDIRECT_URL`

 **Actual result**

 There is an intermediary, useless redirect; see the logs of the
 development server:

 {{{
 [16/Apr/2022 19:05:38] "POST /logout/?next=http://evil/ HTTP/1.1" 302 0
 [16/Apr/2022 19:05:38] "GET /logout/ HTTP/1.1" 302 0
 [16/Apr/2022 19:05:38] "GET /en/ HTTP/1.1" 200 13918
 }}}

 I noticed this via code inspection. The implementation of
 LogoutView.get_next_page seemed a bit weird to me.

 This stems from
 
https://github.com/django/django/blame/e12670016bbcebcc0d89c2ac4a0121951181fbae/django/contrib/auth/views.py#L178
 which predates the introduction of `LOGOUT_REDIRECT_URL`.

 From the user's perspective, the behavior is correct. There's just an
 extra round-trip and needlessly complicated code.

-- 
Ticket URL: <https://code.djangoproject.com/ticket/33648>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/010701803360ab5b-519fe0e0-e913-4a85-8373-19f326c1c187-000000%40eu-central-1.amazonses.com.

Reply via email to