[Django] #36195: redirect_to_login Misinterprets next Parameter with Multiple Query Parameters
4 views
Skip to first unread message
Django
Feb 16, 2025, 5:28:19 PM2/16/25
to django-...@googlegroups.com
#36195: redirect_to_login Misinterprets next Parameter with Multiple Query
Parameters
-------------------------------------+-------------------------------------
Reporter: Antoni-Czaplicki | Type: Bug
Status: new | Component:
| contrib.auth
Version: 5.1 | Severity: Normal
Keywords: auth | Triage Stage:
redirect_to_login query | Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
There is a bug in the redirect_to_login function in
django.contrib.auth.views. When the next parameter itself contains
multiple query parameters (separated by &), they are incorrectly
interpreted as part of the main login URL’s query parameters instead of
being properly escaped as part of the next value.
Steps to Reproduce:
1. Configure Django view with required login decorator
2. Attempt to access a protected view with a next parameter
containing multiple query parameters, e.g.:
`/protected-view/?foo=1&bar=2`
3. The user is redirected to the login page, where the
generated login URL is:
`/login/?next=/protected-view/?foo=1&bar=2`
This is incorrect because &bar=2 is interpreted as a separate query
parameter for /login/ instead of part of the next value.
4. After login, the user is redirected to:
`/protected-view/?foo=1`
Instead of the expected:
`/protected-view/?foo=1&bar=2`
Expected Behavior:
Ampersands in next parameter should be properly escaped so that it is
treated as a single query parameter in the login URL. It should appear as:
`/login/?next=/protected-view/?foo=1%26bar=2`
so that after login, Django correctly redirects to:
`/protected-view/?foo=1&bar=2`
Affected Code:
The issue originates in redirect_to_login:
https://github.com/django/django/blob/2d34ebe49a25d0974392583d5bbd954baf742a32/django/contrib/auth/views.py#L180
--
Ticket URL: <https://code.djangoproject.com/ticket/36195>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Parameters
-------------------------------------+-------------------------------------
Reporter: Antoni-Czaplicki | Type: Bug
Status: new | Component:
| contrib.auth
Version: 5.1 | Severity: Normal
Keywords: auth | Triage Stage:
redirect_to_login query | Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
There is a bug in the redirect_to_login function in
django.contrib.auth.views. When the next parameter itself contains
multiple query parameters (separated by &), they are incorrectly
interpreted as part of the main login URL’s query parameters instead of
being properly escaped as part of the next value.
Steps to Reproduce:
1. Configure Django view with required login decorator
2. Attempt to access a protected view with a next parameter
containing multiple query parameters, e.g.:
`/protected-view/?foo=1&bar=2`
3. The user is redirected to the login page, where the
generated login URL is:
`/login/?next=/protected-view/?foo=1&bar=2`
This is incorrect because &bar=2 is interpreted as a separate query
parameter for /login/ instead of part of the next value.
4. After login, the user is redirected to:
`/protected-view/?foo=1`
Instead of the expected:
`/protected-view/?foo=1&bar=2`
Expected Behavior:
Ampersands in next parameter should be properly escaped so that it is
treated as a single query parameter in the login URL. It should appear as:
`/login/?next=/protected-view/?foo=1%26bar=2`
so that after login, Django correctly redirects to:
`/protected-view/?foo=1&bar=2`
Affected Code:
The issue originates in redirect_to_login:
https://github.com/django/django/blob/2d34ebe49a25d0974392583d5bbd954baf742a32/django/contrib/auth/views.py#L180
--
Ticket URL: <https://code.djangoproject.com/ticket/36195>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
Feb 17, 2025, 2:59:15 AM2/17/25
to django-...@googlegroups.com
#36195: redirect_to_login Misinterprets next Parameter with Multiple Query
Parameters
-------------------------------------+-------------------------------------
Reporter: Antoni Czaplicki | Owner: (none)
Parameters
-------------------------------------+-------------------------------------
Type: Bug | Status: closed
Component: contrib.auth | Version: 5.1
Severity: Normal | Resolution:
| worksforme
Keywords: auth | Triage Stage:
redirect_to_login query | Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Sarah Boyce):
redirect_to_login query | Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* resolution: => worksforme
* status: new => closed
Comment:
Checked via a test and a test project, the parameters are escaped for me
{{{#!diff
--- a/tests/test_client/tests.py
+++ b/tests/test_client/tests.py
@@ -557,6 +557,10 @@ class ClientTest(TestCase):
self.assertEqual(response.status_code, 200)
self.assertEqual(response.context["user"].username, "testclient")
+ def test_view_with_login_with_query_parameter(self):
+ response = self.client.get("/login_protected_view/?foo=1&bar=2")
+ self.assertRedirects(response,
"/accounts/login/?next=/login_protected_view/%3Ffoo%3D1%26bar%3D2")
+
@override_settings(
INSTALLED_APPS=["django.contrib.auth"],
SESSION_ENGINE="django.contrib.sessions.backends.file",
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/36195#comment:1>
Reply all
Reply to author
Forward
0 new messages