[Django] #26956: Allow additional safe hosts for "next" parameter during login

13 views
Skip to first unread message

Django

unread,
Jul 26, 2016, 12:08:08 PM7/26/16
to django-...@googlegroups.com
#26956: Allow additional safe hosts for "next" parameter during login
------------------------------+--------------------
Reporter: jdufresne | Owner: nobody
Type: New feature | Status: new
Component: contrib.auth | Version: master
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Easy pickings: 0 | UI/UX: 0
------------------------------+--------------------
Use case:

* Django application using auth for authentication
* Django application is one part of a loosely coupled network of
applications written in multiple languages/frameworks
* These other applications are hosted on different domains
* '''Goal''', upon successful login, Django should be able to redirect to
these other applications

To solve this use case I propose the following changes:

* Change `is_safe_url()` so the `host` argument can also accept a list of
hosts.
* Change `LoginView` to add a new class member `allowed_hosts`. This
member is a list of allowed hosts to pass to `is_safe_url()` in
`LoginView.get_success_url()`. I think `self.request.get_host()` will
always be implicitly added to this list.

--
Ticket URL: <https://code.djangoproject.com/ticket/26956>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

Django

unread,
Jul 26, 2016, 12:43:08 PM7/26/16
to django-...@googlegroups.com
#26956: Allow additional safe hosts for "next" parameter during login
------------------------------+------------------------------------

Reporter: jdufresne | Owner: nobody
Type: New feature | Status: new
Component: contrib.auth | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0

Easy pickings: 0 | UI/UX: 0
------------------------------+------------------------------------
Changes (by charettes):

* needs_better_patch: => 0
* needs_docs: => 0
* needs_tests: => 0
* stage: Unreviewed => Accepted


--
Ticket URL: <https://code.djangoproject.com/ticket/26956#comment:1>

Django

unread,
Jul 26, 2016, 12:48:05 PM7/26/16
to django-...@googlegroups.com
#26956: Allow additional safe hosts for "next" parameter during login
------------------------------+------------------------------------

Reporter: jdufresne | Owner: nobody
Type: New feature | Status: new
Component: contrib.auth | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0

Easy pickings: 0 | UI/UX: 0
------------------------------+------------------------------------

Comment (by charettes):

As `allowed_hosts` would only be used by the `get_success_url()` method I
suggest giving the class member or method a more explicit name
(`get_success_url_allowed_hosts()`?)

--
Ticket URL: <https://code.djangoproject.com/ticket/26956#comment:2>

Django

unread,
Jul 26, 2016, 9:21:11 PM7/26/16
to django-...@googlegroups.com
#26956: Allow additional safe hosts for "next" parameter during login
------------------------------+------------------------------------

Reporter: jdufresne | Owner: nobody
Type: New feature | Status: new
Component: contrib.auth | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0

Easy pickings: 0 | UI/UX: 0
------------------------------+------------------------------------
Changes (by jdufresne):

* has_patch: 0 => 1


Comment:

[https://github.com/django/django/pull/6979 PR]

--
Ticket URL: <https://code.djangoproject.com/ticket/26956#comment:3>

Django

unread,
Sep 7, 2016, 1:10:11 PM9/7/16
to django-...@googlegroups.com
#26956: Allow additional safe hosts for "next" parameter during login
-------------------------------------+-------------------------------------

Reporter: jdufresne | Owner: nobody
Type: New feature | Status: new
Component: contrib.auth | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Ready for
| checkin

Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0

Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by timgraham):

* stage: Accepted => Ready for checkin


--
Ticket URL: <https://code.djangoproject.com/ticket/26956#comment:4>

Django

unread,
Sep 7, 2016, 11:35:21 PM9/7/16
to django-...@googlegroups.com
#26956: Allow additional safe hosts for "next" parameter during login
-------------------------------------+-------------------------------------

Reporter: jdufresne | Owner: nobody
Type: New feature | Status: new
Component: contrib.auth | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Ready for
| checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0

Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Comment (by Jon Dufresne <jon.dufresne@…>):

In [changeset:"f227b8d15d9d0e0c50eb6459cf4556bccc3fae53" f227b8d]:
{{{
#!CommitTicketReference repository=""
revision="f227b8d15d9d0e0c50eb6459cf4556bccc3fae53"
Refs #26956 -- Allowed is_safe_url() to validate against multiple hosts
}}}

--
Ticket URL: <https://code.djangoproject.com/ticket/26956#comment:5>

Django

unread,
Sep 7, 2016, 11:35:21 PM9/7/16
to django-...@googlegroups.com
#26956: Allow additional safe hosts for "next" parameter during login
-------------------------------------+-------------------------------------
Reporter: jdufresne | Owner: nobody
Type: New feature | Status: closed
Component: contrib.auth | Version: master
Severity: Normal | Resolution: fixed

Keywords: | Triage Stage: Ready for
| checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0

Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Jon Dufresne <jon.dufresne@…>):

* status: new => closed
* resolution: => fixed


Comment:

In [changeset:"66e1ebbffc2742deb9b2051c6de89c0ac58fcc89" 66e1ebbf]:
{{{
#!CommitTicketReference repository=""
revision="66e1ebbffc2742deb9b2051c6de89c0ac58fcc89"
Fixed #26956 -- Added success_url_allowed_hosts to LoginView and
LogoutView.

Allows specifying additional hosts to redirect after login and log out.
}}}

--
Ticket URL: <https://code.djangoproject.com/ticket/26956#comment:6>

Django

unread,
Sep 22, 2017, 1:39:42 PM9/22/17
to django-...@googlegroups.com
#26956: Allow additional safe hosts for "next" parameter during login
-------------------------------------+-------------------------------------
Reporter: Jon Dufresne | Owner: nobody
Type: New feature | Status: closed
Component: contrib.auth | Version: master

Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Ready for
| checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0

Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Comment (by Tim Graham <timograham@…>):

In [changeset:"96107e2844d27a7713152515051654ce70d57660" 96107e2]:
{{{
#!CommitTicketReference repository=""
revision="96107e2844d27a7713152515051654ce70d57660"
Refs #26956 -- Removed the host parameter of
django.utils.http.is_safe_url().

Per deprecation timeline.
}}}

--
Ticket URL: <https://code.djangoproject.com/ticket/26956#comment:7>

Reply all
Reply to author
Forward
0 new messages