Add open redirect protection to RedirectResponse

RedirectResponse now rejects external URLs by default, raising ValueError
for URLs with schemes (http://, ftp://), protocol-relative (//), or
backslash variants. Callers must opt in with allow_external=True.

All legitimate external redirect sites (OAuth, CDN, HTTPS upgrade,
admin Referer, pages/redirection config, redirect_to_login) updated
with allow_external=True. Includes tests for bypass vectors (whitespace,
backslash normalization, mixed-case schemes).

Author: davegaeddert

plain-admin/plain/admin/builtin_views.py

@@ -84,7 +84,7 @@ def post(self) -> Response:
 
         # Redirect back to current page (or referer)
         referer = self.request.headers.get("Referer", "/admin/")
-        return RedirectResponse(referer)
+        return RedirectResponse(referer, allow_external=True)
 
 
 class UnpinNavView(AdminView):
@@ -105,7 +105,7 @@ def post(self) -> Response:
 
         # Redirect back to current page (or referer)
         referer = self.request.headers.get("Referer", "/admin/")
-        return RedirectResponse(referer)
+        return RedirectResponse(referer, allow_external=True)
 
 
 class ReorderPinnedView(AdminView):

plain-auth/plain/auth/views.py

@@ -144,4 +144,4 @@ def redirect_to_login(
         querystring[redirect_field_name] = next
         login_url_parts[4] = querystring.urlencode(safe="/")
 
-    return RedirectResponse(str(urlunparse(login_url_parts)))
+    return RedirectResponse(str(urlunparse(login_url_parts)), allow_external=True)

plain-loginlink/plain/loginlink/views.py

@@ -50,8 +50,7 @@ class LoginLinkSentView(AuthView, TemplateView):
     def get(self) -> Response:
         # Redirect if the user is already logged in
         if self.user:
-            next_url = self.request.query_params.get("next", "/")
-            return RedirectResponse(next_url)
+            return RedirectResponse(self.request.query_params.get("next", "/"))
 
         return super().get()
 

plain-oauth/plain/oauth/providers.py

@@ -213,7 +213,7 @@ def get_redirect_response(self, redirect_url: str) -> Response:
         Returns a redirect response to the given URL.
         This is a utility method to ensure consistent redirect handling.
         """
-        response = RedirectResponse(redirect_url)
+        response = RedirectResponse(redirect_url, allow_external=True)
         add_never_cache_headers(response)
         return response
 

plain-pages/plain/pages/views.py

@@ -106,7 +106,7 @@ def get(self) -> RedirectResponse:
             raise RedirectPageError("Redirect page is missing a url")
 
         status_code = self.page.vars.get("status_code", 302)
-        return RedirectResponse(url, status_code=status_code)
+        return RedirectResponse(url, status_code=status_code, allow_external=True)
 
 
 class PageAssetView(PageViewMixin, AssetView):

plain-redirection/plain/redirection/middleware.py

@@ -17,7 +17,9 @@ def after_response(self, request: Request, response: Response) -> Response:
                     redirect_log = RedirectLog.from_redirect(redirect, request)
                     # Then redirect
                     return RedirectResponse(
-                        str(redirect_log.to_url), status_code=redirect.http_status
+                        str(redirect_log.to_url),
+                        status_code=redirect.http_status,
+                        allow_external=True,
                     )
 
             # Nothing matched, just log the 404

plain-support/plain/support/views.py

@@ -61,4 +61,4 @@ def get_response(self) -> ResponseBase:
 
 class SupportFormJSView(View):
     def get(self) -> RedirectResponse:
-        return RedirectResponse(get_asset_url("support/embed.js"))
+        return RedirectResponse(get_asset_url("support/embed.js"), allow_external=True)

plain/plain/assets/views.py

@@ -270,6 +270,7 @@ def get_cdn_redirect_response(self, path: str) -> RedirectResponse | None:
         return RedirectResponse(
             redirect_to=cdn_url,
             status_code=status_code,
+            allow_external=True,
             headers={"Cache-Control": cache_control},
         )
 

plain/plain/http/response.py

@@ -540,12 +540,37 @@ def set_headers(self, filelike: IO[bytes]) -> None:
             self.headers["Content-Disposition"] = content_disposition
 
 
+def _is_external_url(url: str) -> bool:
+    """Check if a URL would redirect to an external host."""
+    if not url:
+        return False
+    # Browsers strip leading whitespace from Location headers
+    url = url.strip()
+    # Browsers normalize backslashes to forward slashes in URLs,
+    # so \\ and /\ are equivalent to //
+    if url[:2].replace("\\", "/") == "//":
+        return True
+    colon_pos = url.find("://")
+    if colon_pos > 0 and url[:colon_pos].isalpha():
+        return True
+    return False
+
+
 class RedirectResponse(Response):
     """HTTP redirect response"""
 
     status_code = 302
 
-    def __init__(self, redirect_to: str, **kwargs: Any):
+    def __init__(
+        self, redirect_to: str, *, allow_external: bool = False, **kwargs: Any
+    ):
+        if not allow_external and _is_external_url(redirect_to):
+            raise ValueError(
+                f"Unsafe redirect URL: {redirect_to!r}. "
+                "RedirectResponse does not allow external URLs by default. "
+                "Use allow_external=True if you intentionally want to redirect "
+                "to an external URL."
+            )
         super().__init__(**kwargs)
         self.headers["Location"] = iri_to_uri(redirect_to) or ""
 

plain/plain/internal/middleware/https.py

@@ -27,6 +27,8 @@ def before_request(self, request: Request) -> Response | None:
     def maybe_https_redirect(self, request: Request) -> Response | None:
         if self.https_redirect_enabled and not request.is_https():
             return RedirectResponse(
-                f"https://{request.host}{request.get_full_path()}", status_code=301
+                f"https://{request.host}{request.get_full_path()}",
+                status_code=301,
+                allow_external=True,
             )
         return None