File tree Expand file tree Collapse file tree 1 file changed +8
-1
lines changed Expand file tree Collapse file tree 1 file changed +8
-1
lines changed Original file line number Diff line number Diff line change @@ -338,7 +338,14 @@ def assertion_consumer_service(request,
338338 if not relay_state :
339339 logger .warning ('The RelayState parameter exists but is empty' )
340340 relay_state = default_relay_state
341- if not is_safe_url_compat (url = relay_state , allowed_hosts = {request .get_host ()}):
341+
342+ # Ensure the user-originating redirection url is safe.
343+ # By setting SAML_ALLOWED_HOSTS in settings.py the user may provide a list of "allowed"
344+ # hostnames for post-login redirects, much like one would specify ALLOWED_HOSTS .
345+ # If this setting is absent, the default is to use the hostname that was used for the current
346+ # request.
347+ saml_allowed_hosts = set (getattr (settings , 'SAML_ALLOWED_HOSTS' , [request .get_host ()]))
348+ if not is_safe_url_compat (url = relay_state , allowed_hosts = saml_allowed_hosts ):
342349 relay_state = settings .LOGIN_REDIRECT_URL
343350 logger .debug ('Redirecting to the RelayState: %s' , relay_state )
344351 return HttpResponseRedirect (relay_state )
You can’t perform that action at this time.
0 commit comments