mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-07-24 05:36:15 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

Refs #26902 -- Protected against insecure redirects in set_language().

Browse source
This commit is contained in:
Przemysław Suliga 2016-08-19 14:32:21 +02:00 committed by Tim Graham
parent 549b90fab3
commit 1f68bb5683
3 changed files with 25 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

10
docs/releases/1.11.txt
View file

@ -356,12 +356,12 @@ to assign a free port. The ``DJANGO_LIVE_TEST_SERVER_ADDRESS`` environment
variable is no longer used, and as it's also no longer used, the
``manage.py test --liveserver`` option is removed.
Protection against insecure redirects in :mod:`django.contrib.auth` views
-------------------------------------------------------------------------
Protection against insecure redirects in :mod:`django.contrib.auth` and ``i18n`` views
--------------------------------------------------------------------------------------
``LoginView`` and ``LogoutView`` (and the deprecated function-based equivalents)
protect users from being redirected to non-HTTPS ``next`` URLs when the app
is running over HTTPS.
``LoginView``, ``LogoutView`` (and the deprecated function-based equivalents),
and :func:`~django.views.i18n.set_language` protect users from being redirected
to non-HTTPS ``next`` URLs when the app is running over HTTPS.
Miscellaneous
-------------