← Back to branch summary

~michael.nelson/django-openid-auth/701489-fire-event-with-sreg-response

« back to all changes in this revision

Viewing changes to django_openid_auth/views.py

Make sanitise_redirect_url map the empty string to LOGIN_REDIRECT_URL.  Fixes bug #510866.

Show diffs side-by-side

added added

removed removed

Lines of Context:
django_openid_auth/views.py
64
64
def sanitise_redirect_url(redirect_to):
65
65
    """Sanitise the redirection URL."""
66
66
    # Light security check -- make sure redirect_to isn't garbage.
67
 
    if not redirect_to or '//' in redirect_to or ' ' in redirect_to:
 
67
    is_valid = True
 
68
    if not redirect_to or ' ' in redirect_to:
 
69
        is_valid = False
 
70
    elif '//' in redirect_to:
68
71
        # Allow the redirect URL to be external if it's a permitted domain
69
72
        allowed_domains = getattr(settings, 
70
73
            "ALLOWED_EXTERNAL_OPENID_REDIRECT_DOMAINS", [])
75
78
            if netloc.find(":") != -1:
76
79
                netloc, _ = netloc.split(":", 1)
77
80
            if netloc not in allowed_domains:
78
 
                redirect_to = settings.LOGIN_REDIRECT_URL
79
 
        else:
80
 
            # netloc is blank, so it's a local URL (possibly with another URL
81
 
            # passed in the querystring. Allow it.)
82
 
            pass
 
81
                is_valid = False
 
82
 
 
83
    # If the return_to URL is not valid, use the default.
 
84
    if not is_valid:
 
85
        redirect_to = settings.LOGIN_REDIRECT_URL
 
86
 
83
87
    return redirect_to
84
88
 
85
89