#33409 closed Bug (needsinfo)

Django logs out after a redirect with a long Cyrillic message

Reported by: Dterb Owned by: nobody
Component: contrib.messages Version: 3.0
Severity: Normal Keywords: messages, logout, redirect
Cc: Florian Apolloner Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

I am using a redirect from the payment system's website back on my site when the user decides to cancel the checkout:

@csrf_exempt
def payment_done(request):
    if request.method == 'POST':
        result = get_result(request)
        if result  == 'success':
            return redirect(reverse('payment_successful'))
        return redirect(reverse('subscribe'), messages=payment_unsuccessful_message(request))
    raise Http404

The code for getting the message added to the redirect is the following:

def payment_unsuccessful_message(request):
    with translation.override(translation.get_language()):
        return messages.error(
            request,
            render_to_string('billing/payment_unsuccessful_message.html'),
            extra_tags='safe, custom',
        )

Now, the problem is that the user is getting logged out when redirected this way, but only in the Ukrainian (Cyrillic) interface. In all the other (non-Cyrillic) languages, no redirect occurs and the user stays logged in.

I thought that the problem was with incorrect encoding, render_to_string, then with extra_tags, and so on. After several hours, I realised that the issue is with the length of the Cyrillic characters.

So, if you try this piece of code for the message added to the redirect (replaced the render_to_string with gettext for demonstration purposes), everything works fine and the user is not logged out forcedly:

def payment_unsuccessful_message(request):
    with translation.override(translation.get_language()):
        return messages.error(
            request,
            _(
                '<strong>Аааааа аа ааааааааа</strong>. Аааааа аа ааааааааа аааааа '
                'ааааааааа, аааааааа ааааааа ааа ааа аааа аааааааааа ааааааа аааааааа аааааааа: '
                '<em>ааааааааа аааааа ааааааааааа ааааааа аааааааааааа аааааааа аааааааааа '
                'ааааааааааа аааааа ааааааа а аааааааааа</em> аааа ааааааааааааааа ааааааааа '
                'аа ааааааа. ааааааа ааааааа ааааааааа аа'
            ),
            extra_tags='safe, custom',
        )

But add one more Cyrillic character in the end of the message, and the user will be logged out (although the message will be displayed correctly).

I believe that the reason is in the length of encoded characters but have not found any similar issue on the web, so I am reporting it as a bug.

Change History (1)

comment:1 Changed 13 months ago by Mariusz Felisiak

Cc: Florian Apolloner added
Resolution: needsinfo
Status: newclosed

Thanks for this report. Messages format was changed to the RFC-6265 compliant format in Django 3.2 (see 2d6179c819010f6a9d00835d5893c4593c0b85a0). Can you reproduce this issue in Django 3.2+?

Note: See TracTickets for help on using tickets.
Back to Top