django.contrib.auth.views.login refuses to redirect to urls with spaces
|Reported by:||sharky||Owned by:||nobody|
|Has patch:||yes||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
While logged out, I am trying to access a page which is protected by the "login_required" decorator at:
I get redirected to:
Once I enter my credentials, instead of getting redirected to the expected page, I get sent to the default URL as defined by settings.LOGIN_REDIRECT_URL.
This bug is due to the code at line 24 of django/contrib/auth/views.py:
# Light security check -- make sure redirect_to isn't garbage.
if not redirect_to or '' in redirect_to or ' ' in redirect_to:
redirect_to = settings.LOGIN_REDIRECT_URL
Could someone please explain how checking for spaces or double slashes is a "security check"? From my point of view, it's a bug, django refuses to redirect me to an URL which is perfectly valid!
Many thanks in advance!
Change History (17)
comment:1 Changed 6 years ago by anonymous
- Cc aymeric.augustin@… removed
- Needs documentation unset
- Needs tests unset
- Patch needs improvement unset
comment:3 Changed 6 years ago by russellm
- Resolution set to duplicate
- Status changed from new to closed
comment:4 Changed 5 years ago by aaugustin
- Resolution duplicate deleted
- Status changed from closed to reopened
Changed 5 years ago by jnns
comment:12 Changed 5 years ago by ramiro
- Needs tests set
- Triage Stage changed from Ready for checkin to Accepted
Changed 5 years ago by aaugustin
comment:14 Changed 5 years ago by jezdez
- Resolution set to fixed
- Status changed from reopened to closed