From cc148739fdb9ad841ee02b261512e68cdff48baa Mon Sep 17 00:00:00 2001
From: Magnus Hagander
Date: Tue, 14 Apr 2020 17:57:58 +0200
Subject: Extra quote the url from 'next' in authentication

If the next URL contained a + django would helpfully change that into a
space, which broke things further down the chain. So put back this
escaping, in the hope that the redirect will be correct down the road.

This fixes is for spaces, let's hope it doesn't instead break it for
something else.
---
 django/archives/auth.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'django/archives/auth.py')

diff --git a/django/archives/auth.py b/django/archives/auth.py
index 87ffb0b..069d57c 100644
--- a/django/archives/auth.py
+++ b/django/archives/auth.py
@@ -28,7 +28,7 @@ from django.conf import settings
 import base64
 import json
 import socket
-from urllib.parse import urlparse, urlencode, parse_qs
+from urllib.parse import urlparse, urlencode, parse_qs, quote_plus
 import requests
 from Cryptodome.Cipher import AES
 from Cryptodome.Hash import SHA
@@ -53,7 +53,7 @@ def login(request):
         # Put together an url-encoded dict of parameters we're getting back,
         # including a small nonce at the beginning to make sure it doesn't
         # encrypt the same way every time.
-        s = "t=%s&%s" % (int(time.time()), urlencode({'r': request.GET['next']}))
+        s = "t=%s&%s" % (int(time.time()), urlencode({'r': quote_plus(request.GET['next'], safe='/')}))
         # Now encrypt it
         r = Random.new()
         iv = r.read(16)
-- 
cgit v1.2.3