fix: Add '/media/' to the list of whitelisted URLs for MFA login (#16412)

Co-authored-by: wangruidong <940853815@qq.com>

apps/authentication/middleware.py

@@ -36,7 +36,7 @@ class MFAMiddleware:
         # 这个是 mfa 登录页需要的请求, 也得放出来, 用户其实已经在 CAS/OIDC 中完成登录了
         white_urls = [
             'login/mfa', 'mfa/select', 'jsi18n/', '/static/',
-            '/profile/otp', '/logout/',
+            '/profile/otp', '/logout/', '/media/'
         ]
         for url in white_urls:
             if request.path.find(url) > -1:

apps/jumpserver/middleware.py

@@ -3,10 +3,10 @@
 import json
 import os
 import re
-import time
 from urllib.parse import urlparse, quote
 
 import pytz
+import time
 from django.conf import settings
 from django.core.exceptions import MiddlewareNotUsed
 from django.http.response import HttpResponseForbidden
@@ -162,9 +162,16 @@ class SafeRedirectMiddleware:
             target_host = parsed.netloc
             if target_host in [*settings.ALLOWED_HOSTS]:
                 return response
-            origin = f"{request.scheme}://{request.get_host()}"
+            target_host, target_port = self._split_host_port(parsed.netloc)
-            target_origin = f"{parsed.scheme}://{target_host}"
+            origin_host, origin_port = self._split_host_port(request.get_host())
-            if not target_origin.startswith(origin):
+            if target_host != origin_host:
                 safe_redirect_url = '%s?%s' % (reverse('redirect-confirm'), f'next={quote(location)}')
                 return redirect(safe_redirect_url)
         return response
+
+    @staticmethod
+    def _split_host_port(netloc):
+        if ':' in netloc:
+            host, port = netloc.split(':', 1)
+            return host, port
+        return netloc, '80'

pyproject.toml

@@ -147,7 +147,7 @@ mistune = "2.0.3"
 openai = "^1.29.0"
 xlsxwriter = "^3.1.9"
 exchangelib = "^5.1.0"
-xmlsec = "1.3.13"
+xmlsec = "1.3.14"
 lxml = "5.2.1"
 receptorctl = "^1.4.5"
 pydantic = "^2.7.4"