Redirect security check in login code is incomplete
|Reported by:||Owned by:||Adrian Holovaty|
|Has patch:||no||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
The security check for the value of redirect_to in django.contrib.auth.views.login is incomplete. It's meant to block incorrect URLs and external locations, but it will still redirect to external sites if the URL doesn't include the protocol name. This is because '' isn't blocked. So currently, /accounts/login/?next=example.com/ will redirect the user to http://example.com/ after a successful authentication. This can be considered a small security problem.
It can be fixed by modifying line 20:
if not redirect_to or '://' in redirect_to or ' ' in redirect_to:
if not redirect_to or '//' in redirect_to or ' ' in redirect_to: