From: Magnus Hagander <magnus@hagander.net>
Date: Thu, 29 Oct 2020 16:50:21 +0000 (+0100)
Subject: Properly quote URL for login redirect in private archives
X-Git-Url: http://git.postgresql.org/gitweb/edit?a=commitdiff_plain;h=635a9ade8f92eb5375cb589a887c195dc1ef1908;p=pgarchives.git

Properly quote URL for login redirect in private archives

Without the proper quoting, having a + sign in a message-id would get
unquoted to a space before sending the user off to the community
authentication, which in turn would then redirect back to the incorrect
url.

Reported by Noah Misch
---

diff --git a/django/archives/mailarchives/views.py b/django/archives/mailarchives/views.py
index d32ccce..78f4564 100644
--- a/django/archives/mailarchives/views.py
+++ b/django/archives/mailarchives/views.py
@@ -34,7 +34,7 @@ def ensure_logged_in(request):
         return
     if hasattr(request, 'user') and request.user.is_authenticated:
         return
-    raise ERedirect('%s?next=%s' % (settings.LOGIN_URL, request.path))
+    raise ERedirect('%s?next=%s' % (settings.LOGIN_URL, quote(request.path)))
 
 
 # Ensure the user has permissions to access a list. If not, raise
@@ -51,7 +51,7 @@ def ensure_list_permissions(request, l):
         raise PermissionDenied("Access denied.")
 
     # Redirect to a login page
-    raise ERedirect('%s?next=%s' % (settings.LOGIN_URL, request.path))
+    raise ERedirect('%s?next=%s' % (settings.LOGIN_URL, quote(request.path)))
 
 
 # Ensure the user has permissions to access a message. In order to view
@@ -88,7 +88,7 @@ def ensure_message_permissions(request, msgid):
         raise PermissionDenied("Access denied.")
 
     # Redirect to a login page
-    raise ERedirect('%s?next=%s' % (settings.LOGIN_URL, request.path))
+    raise ERedirect('%s?next=%s' % (settings.LOGIN_URL, quote(request.path)))
 
 
 # Decorator to set cache age