id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
12534	django.contrib.auth.views.login refuses to redirect to urls with spaces	Jeremy Lainé	nobody	"While logged out, I am trying to access a page which is protected by the ""login_required"" decorator at:

http://example.com/foo%20bar/

I get redirected to:

http://example.com/accounts/login?next=/foo%20bar/

Once I enter my credentials, instead of getting redirected to the expected page, I get sent to the default URL as defined by settings.LOGIN_REDIRECT_URL.

This bug is due to the code at line 24 of django/contrib/auth/views.py:

    # Light security check -- make sure redirect_to isn't garbage.
    if not redirect_to or '//' in redirect_to or ' ' in redirect_to:
        redirect_to = settings.LOGIN_REDIRECT_URL

Could someone please explain how checking for spaces or double slashes is a ""security check""? From my point of view, it's a bug, django refuses to redirect me to an URL which is perfectly valid!

Many thanks in advance!"		closed	contrib.auth	1.1		fixed		aymeric.augustin@…	Accepted	1	0	0	0	0	0