Login Redirect Security Check Overly Broad
I believe that the fix implemented for bug #5227 is overly broad. If the original URL contains a GET parameter that is itself a URL, then the resultant 'next' parameter created during the redirect to the login screen will look like this:
Given that the check for '' in the redirect checks the entire string, a GET parameter as above will cause the security check to be triggered and the user will be redirected incorrectly.
If the desire to to protect against redirect URLs that start with '' (scheme-less URL) then I think it's better to be explicit and change line 24 of django.contrib.auth.views to this:
if not redirect_to or redirect_to.startswith('//') or '://' in redirect_to or ' ' in redirect_to: