id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
5227	Redirect security check in login code is incomplete	Sander Dijkhuis <sander.dijkhuis@…	Adrian Holovaty	"The security check for the value of redirect_to in django.contrib.auth.views.login is incomplete. It's meant to block incorrect URLs and external locations, but it will still redirect to external sites if the URL doesn't include the protocol name. This is because '//' isn't blocked. So currently, /accounts/login/?next=//example.com/ will redirect the user to http://example.com/ after a successful authentication. This can be considered a small security problem.

It can be fixed by modifying [http://code.djangoproject.com/browser/django/trunk/django/contrib/auth/views.py?rev=5886#L19 line 20]:
{{{
#!python
            if not redirect_to or '://' in redirect_to or ' ' in redirect_to:
}}}
should be:
{{{
#!python
            if not redirect_to or '//' in redirect_to or ' ' in redirect_to:
}}}"		closed	Contrib apps	1.0		fixed	auth	sander.dijkhuis@…	Unreviewed	0	0	0	0	0	0