mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-07-23 05:05:17 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

Refs #26902 -- Protected against insecure redirects in Login/LogoutView.

Browse source
This commit is contained in:
Przemysław Suliga 2016-08-19 13:40:21 +02:00 committed by Tim Graham
parent 5e5a17028f
commit 549b90fab3
3 changed files with 51 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

7
docs/releases/1.11.txt
View file

@ -356,6 +356,13 @@ to assign a free port. The ``DJANGO_LIVE_TEST_SERVER_ADDRESS`` environment
variable is no longer used, and as it's also no longer used, the
``manage.py test --liveserver`` option is removed.
Protection against insecure redirects in :mod:`django.contrib.auth` views
-------------------------------------------------------------------------
``LoginView`` and ``LogoutView`` (and the deprecated function-based equivalents)
protect users from being redirected to non-HTTPS ``next`` URLs when the app
is running over HTTPS.
Miscellaneous
-------------