URL redirection from remote source (#29)

2025-12-06 06:17:17 +00:00 · 2021-05-04 18:21:12 +01:00
parent 96f90469cf
commit 659862a628
1 changed files with 5 additions and 1 deletions
--- a/comic_auth/views.py
+++ b/comic_auth/views.py
@@ -1,6 +1,7 @@
 from django.contrib.auth import authenticate, login, logout
 from django.contrib.auth.models import User
 from django.shortcuts import redirect, render
+from django.utils.http import url_has_allowed_host_and_scheme

 from comic_auth.forms import LoginForm

@@ -14,9 +15,12 @@ def comic_login(request):
                if user.is_active:
                    login(request, user)
                    if "next" in request.GET:
+                        if url_has_allowed_host_and_scheme(request.GET["next"], allowed_hosts=None):
                            return redirect(request.GET["next"])
                        else:
                            return redirect("/comic/")
+                    else:
+                        return redirect("/comic/")
                else:
                    return render(request, "comic_auth/login.html", {"error": True})
            else: