Skip to content

Fix open redirect vulnerability in account login/logout views#2905

Merged
deniszh merged 6 commits intomasterfrom
copilot/fix-issue-2871
Mar 17, 2026
Merged

Fix open redirect vulnerability in account login/logout views#2905
deniszh merged 6 commits intomasterfrom
copilot/fix-issue-2871

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Mar 17, 2026
edited
Loading

The nextPage parameter in loginView, logoutView, and updateProfile was passed directly to HttpResponseRedirect with no validation, allowing unauthenticated attackers to redirect users to arbitrary external domains (e.g. /account/logout?nextPage=http://evil.example.com).

Changes

  • account/views.py: Added _get_safe_next_page() helper using Django's url_has_allowed_host_and_scheme() to validate redirect targets. External URLs fall back to reverse('browser'). Applied to all three affected views.
def _get_safe_next_page(request, param_value):
    if url_has_allowed_host_and_scheme(
        url=param_value,
        allowed_hosts={request.get_host()},
        require_https=request.is_secure(),
    ):
        return param_value
    return reverse('browser')
  • tests/test_account.py: New test module covering blocked external redirects and permitted relative redirects for login and logout flows.

📱 Kick off Copilot coding agent tasks wherever you are with GitHub Mobile, available on iOS and Android.

@deniszh
Fix open redirect vulnerability in account views (issue #2871)
ac68eb9 
Co-authored-by: deniszh <1227222+deniszh@users.noreply.github.com>
Copilot AI changed the title [WIP] [GH-2871] Fix issue with data rendering Fix open redirect vulnerability in account views Mar 17, 2026
Copilot AI requested a review from deniszh March 17, 2026 14:47
Copilot AI and others added 4 commits March 17, 2026 17:18
Initial plan
c94a0c5
@deniszh
Fix open redirect vulnerability in URL shortener (issue #2872)
4012204 
Co-authored-by: deniszh <1227222+deniszh@users.noreply.github.com>
@deniszh
Fix test_standard_finder failing in Python 3.13 by using reset_mock()
fe08e32 
Co-authored-by: deniszh <1227222+deniszh@users.noreply.github.com>
Initial plan
5782f4d
Copilot AI changed the title Fix open redirect vulnerability in account views Fix open redirect vulnerability in account login/logout views Mar 17, 2026
@deniszh deniszh marked this pull request as ready for review March 17, 2026 17:45
@deniszh deniszh merged commit 23dd410 into master Mar 17, 2026
7 of 8 checks passed
@deniszh deniszh mentioned this pull request Mar 17, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@deniszh deniszh Awaiting requested review from deniszh

Assignees

@deniszh deniszh

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@deniszh