id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
18856	avoid set_language redirect to different host	Gunnar	nobody	"{{{
    next = request.REQUEST.get('next', None)
    if not next:
        next = request.META.get('HTTP_REFERER', None)
}}}

HTTP_REFERER can be from different host, specially when using an external SSO Authentication provider.
Then redirecting causes an infinite loop.
Solution:
Like in django.contrib.auth.login:

{{{
    next = request.REQUEST.get('next', None)
    if not next:
        next = request.META.get('HTTP_REFERER', None) 
        netloc = urlparse.urlparse(next)[1]

        # don't allow redirection to a different
        # host.
        if netloc and netloc != request.get_host():
            next = '/'
}}}
"	Bug	closed	Uncategorized	dev	Release blocker	fixed	set_language redirect infinite loop	Gunnar Scherf Florian Apolloner	Accepted	1	0	0	1	0	0