django.contrib.auth.views.login refuses to redirect to urls with spaces
|Reported by:||Jeremy Lainé||Owned by:||nobody|
|Has patch:||yes||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
While logged out, I am trying to access a page which is protected by the "login_required" decorator at:
I get redirected to:
Once I enter my credentials, instead of getting redirected to the expected page, I get sent to the default URL as defined by settings.LOGIN_REDIRECT_URL.
This bug is due to the code at line 24 of django/contrib/auth/views.py:
# Light security check -- make sure redirect_to isn't garbage.
if not redirect_to or '' in redirect_to or ' ' in redirect_to:
redirect_to = settings.LOGIN_REDIRECT_URL
Could someone please explain how checking for spaces or double slashes is a "security check"? From my point of view, it's a bug, django refuses to redirect me to an URL which is perfectly valid!
Many thanks in advance!