Fixed #12534 -- Loosened the the security check for "next" redirects …

…after logins slightly to allow paths that contain spaces. Thanks for the patch, jnns and aaugustin.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@15702 bcc190cf-cafb-0310-a4f2-bffc1f526a37

django/contrib/auth/tests/views.py

@@ -236,7 +236,9 @@ def test_security_check(self, password='password'):
                          '/view?param=ftp://exampel.com',
                          'view/?param=//example.com',
                          'https:///',
-                         '//testserver/'):
+                         '//testserver/',
+                         '/url%20with%20spaces/', # see ticket #12534
+                         ):
             safe_url = '%(url)s?%(next)s=%(good_url)s' % {
                 'url': login_url,
                 'next': REDIRECT_FIELD_NAME,
@@ -251,6 +253,7 @@ def test_security_check(self, password='password'):
             self.assertTrue(good_url in response['Location'],
                             "%s should be allowed" % good_url)
 
+
 class LoginURLSettings(AuthViewsTestCase):
     urls = 'django.contrib.auth.tests.urls'
 

django/contrib/auth/views.py

@@ -34,11 +34,11 @@ def login(request, template_name='registration/login.html',
         if form.is_valid():
             netloc = urlparse.urlparse(redirect_to)[1]
 
-            # Light security check -- make sure redirect_to isn't garbage.
-            if not redirect_to or ' ' in redirect_to:
+            # Use default setting if redirect_to is empty
+            if not redirect_to:
                 redirect_to = settings.LOGIN_REDIRECT_URL
 
-            # Heavier security check -- don't allow redirection to a different
+            # Security check -- don't allow redirection to a different
             # host.
             elif netloc and netloc != request.get_host():
                 redirect_to = settings.LOGIN_REDIRECT_URL