Index: django/contrib/auth/views.py
===================================================================
--- django/contrib/auth/views.py	(revision 12454)
+++ django/contrib/auth/views.py	(working copy)
@@ -26,7 +26,8 @@
         form = authentication_form(data=request.POST)
         if form.is_valid():
             # Light security check -- make sure redirect_to isn't garbage.
-            if not redirect_to or '//' in redirect_to or ' ' in redirect_to:
+            if not redirect_to or redirect_to.startswith('//') \
+                    or redirect_to.startswith('http://') or ' ' in redirect_to:
                 redirect_to = settings.LOGIN_REDIRECT_URL
             from django.contrib.auth import login
             login(request, form.get_user())
Index: django/contrib/auth/tests/views.py
===================================================================
--- django/contrib/auth/tests/views.py	(revision 12454)
+++ django/contrib/auth/tests/views.py	(working copy)
@@ -2,7 +2,7 @@
 import re
 
 from django.conf import settings
-from django.contrib.auth import SESSION_KEY
+from django.contrib.auth import SESSION_KEY, REDIRECT_FIELD_NAME
 from django.contrib.auth.forms import AuthenticationForm
 from django.contrib.sites.models import Site, RequestSite
 from django.contrib.auth.models import User
@@ -183,6 +183,40 @@
         self.assertEquals(response.context['site_name'], site.name)
         self.assert_(isinstance(response.context['form'], AuthenticationForm), 
                      'Login form is not an AuthenticationForm')
+
+    def test_security_check(self, password='password'):
+        import urllib
+        login_url = reverse('django.contrib.auth.views.login')
+
+        # This URL should not pass the security check
+        nasty_url = '%(url)s?%(next)s=%(bad_url)s' % {
+            'url': login_url,
+            'next': REDIRECT_FIELD_NAME,
+            'bad_url': urllib.quote('http://example.com')
+        }
+        response = self.client.post(nasty_url, {
+            'username': 'testclient',
+            'password': password,
+            }
+        )
+        self.assertEquals(response.status_code, 302)
+        self.assertFalse('http://example.com' in response['Location'])
+
+        # Now, this URL has an other URL as a GET parameter and therefore
+        # should be allowed
+        url = '%(url)s?%(next)s=/view/?param=%(safe_param)s' % {
+            'url': login_url,
+            'next': REDIRECT_FIELD_NAME,
+            'safe_param': urllib.quote('http://example.com')
+        }
+        response = self.client.post(url, {
+            'username': 'testclient',
+            'password': password,
+            }
+        )
+        self.assertEquals(response.status_code, 302)
+        self.assertTrue('/view/?param=http://example.com' in response['Location'])
+
         
 class LogoutTest(AuthViewsTestCase):
     urls = 'django.contrib.auth.tests.urls'