#12534: django.contrib.auth.views.login refuses to redirect to urls with spaces
-------------------------------------+--------------------------------------
Reporter: sharky | Owner: nobody
Status: new | Milestone:
Component: Authentication | Version: 1.1
Resolution: | Keywords:
Stage: Unreviewed | Has_patch: 0
Needs_docs: 0 | Needs_tests: 0
Needs_better_patch: 0 |
-------------------------------------+--------------------------------------
Comment (by lukeplant):
I'm guessing the double slash check is to stop redirecting to an external
site, which would be a phishing vulnerability. I don't know about the
space thing, it does seem like it should be allowed to redirect to a URL
with a space in it, as you are allowed to have spaces in the path element
of the URL.
If you allow a space, it seems to work fine (tested in Firefox and Opera).
Some browsers, such as Firefox, actually display a space in the address
bar, rather than %20.
The only concern I have is with the redirect. Django sets "Location" to
"/foo bar/" if you allow the space. With the development server, this
somehow gets translated to "Location: /foo%20bar/" in the header that is
sent to the browser, I haven't tested with modpython.
--
Ticket URL: <http://code.djangoproject.com/ticket/12534#comment:2>
Django <http://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/django-updates?hl=en.
