[Django] #36195: redirect_to_login Misinterprets next Parameter with Multiple Query Parameters

Sun, 16 Feb 2025 14:28:24 -0800 

#36195: redirect_to_login Misinterprets next Parameter with Multiple Query
Parameters
-------------------------------------+-------------------------------------
     Reporter:  Antoni-Czaplicki     |                     Type:  Bug
       Status:  new                  |                Component:
                                     |  contrib.auth
      Version:  5.1                  |                 Severity:  Normal
     Keywords:  auth                 |             Triage Stage:
  redirect_to_login query            |  Unreviewed
    Has patch:  0                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------
 There is a bug in the redirect_to_login function in
 django.contrib.auth.views. When the next parameter itself contains
 multiple query parameters (separated by &), they are incorrectly
 interpreted as part of the main login URL’s query parameters instead of
 being properly escaped as part of the next value.

 Steps to Reproduce:
         1.      Configure Django view with required login decorator
         2.      Attempt to access a protected view with a next parameter
 containing multiple query parameters, e.g.:

 `/protected-view/?foo=1&bar=2`


         3.      The user is redirected to the login page, where the
 generated login URL is:

 `/login/?next=/protected-view/?foo=1&bar=2`

 This is incorrect because &bar=2 is interpreted as a separate query
 parameter for /login/ instead of part of the next value.

         4.      After login, the user is redirected to:

 `/protected-view/?foo=1`

 Instead of the expected:

 `/protected-view/?foo=1&bar=2`



 Expected Behavior:
 Ampersands in next parameter should be properly escaped so that it is
 treated as a single query parameter in the login URL. It should appear as:

 `/login/?next=/protected-view/?foo=1%26bar=2`

 so that after login, Django correctly redirects to:

 `/protected-view/?foo=1&bar=2`

 Affected Code:
 The issue originates in redirect_to_login:

 
https://github.com/django/django/blob/2d34ebe49a25d0974392583d5bbd954baf742a32/django/contrib/auth/views.py#L180
-- 
Ticket URL: <https://code.djangoproject.com/ticket/36195>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion visit 
https://groups.google.com/d/msgid/django-updates/0107019510e05d0b-46b9bdab-0826-45d9-8216-d13b40353678-000000%40eu-central-1.amazonses.com.

Reply via email to