Opened 4 days ago
Closed 3 days ago
#36195 closed Bug (worksforme)
redirect_to_login Misinterprets next Parameter with Multiple Query Parameters
| Reported by: | Antoni Czaplicki | Owned by: | |
|---|---|---|---|
| Component: | contrib.auth | Version: | 5.1 |
| Severity: | Normal | Keywords: | auth redirect_to_login query |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
There is a bug in the redirect_to_login function in django.contrib.auth.views. When the next parameter itself contains multiple query parameters (separated by &), they are incorrectly interpreted as part of the main login URL’s query parameters instead of being properly escaped as part of the next value.
Steps to Reproduce:
- Configure Django view with required login decorator
- Attempt to access a protected view with a next parameter containing multiple query parameters, e.g.:
/protected-view/?foo=1&bar=2
- The user is redirected to the login page, where the generated login URL is:
/login/?next=/protected-view/?foo=1&bar=2
This is incorrect because &bar=2 is interpreted as a separate query parameter for /login/ instead of part of the next value.
- After login, the user is redirected to:
/protected-view/?foo=1
Instead of the expected:
/protected-view/?foo=1&bar=2
Expected Behavior:
Ampersands in next parameter should be properly escaped so that it is treated as a single query parameter in the login URL. It should appear as:
/login/?next=/protected-view/?foo=1%26bar=2
so that after login, Django correctly redirects to:
/protected-view/?foo=1&bar=2
Affected Code:
The issue originates in redirect_to_login:
Checked via a test and a test project, the parameters are escaped for me
tests/test_client/tests.py