#12534: django.contrib.auth.views.login refuses to redirect to urls with spaces
----------------------------+-----------------------------------------------
Reporter: sharky | Owner: nobody
Status: new | Milestone:
Component: Authentication | Version: 1.1
Keywords: | Stage: Unreviewed
Has_patch: 0 |
----------------------------+-----------------------------------------------
While logged out, I am trying to access a page which is protected by the
"login_required" decorator at:
http://example.com/foo%20bar/
I get redirected to:
http://example.com/accounts/login?next=/foo%20bar/
Once I enter my credentials, instead of getting redirected to the expected
page, I get sent to the default URL as defined by
settings.LOGIN_REDIRECT_URL.
This bug is due to the code at line 24 of django/contrib/auth/views.py:
# Light security check -- make sure redirect_to isn't garbage.
if not redirect_to or '//' in redirect_to or ' ' in redirect_to:
redirect_to = settings.LOGIN_REDIRECT_URL
Could someone please explain how checking for spaces or double slashes is
a "security check"? From my point of view, it's a bug, django refuses to
redirect me to an URL which is perfectly valid!
Many thanks in advance!
--
Ticket URL: <http://code.djangoproject.com/ticket/12534>
Django <http://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/django-updates?hl=en.
