Properly quote URL for login redirect in private archives

Without the proper quoting, having a + sign in a message-id would get
unquoted to a space before sending the user off to the community
authentication, which in turn would then redirect back to the incorrect
url.

Reported by Noah Misch

diff --git a/django/archives/mailarchives/views.py b/django/archives/mailarchives/views.py
index d32ccce66789628f2776758a0ba9c79952ab275b..78f45642469ae282719178e780e477742a13b401 100644 (file)
--- a/django/archives/mailarchives/views.py
+++ b/django/archives/mailarchives/views.py
@@ -34,7 +34,7 @@ def ensure_logged_in(request):
         return
     if hasattr(request, 'user') and request.user.is_authenticated:
         return
-    raise ERedirect('%s?next=%s' % (settings.LOGIN_URL, request.path))
+    raise ERedirect('%s?next=%s' % (settings.LOGIN_URL, quote(request.path)))
 
 
 # Ensure the user has permissions to access a list. If not, raise
@@ -51,7 +51,7 @@ def ensure_list_permissions(request, l):
         raise PermissionDenied("Access denied.")
 
     # Redirect to a login page
-    raise ERedirect('%s?next=%s' % (settings.LOGIN_URL, request.path))
+    raise ERedirect('%s?next=%s' % (settings.LOGIN_URL, quote(request.path)))
 
 
 # Ensure the user has permissions to access a message. In order to view
@@ -88,7 +88,7 @@ def ensure_message_permissions(request, msgid):
         raise PermissionDenied("Access denied.")
 
     # Redirect to a login page
-    raise ERedirect('%s?next=%s' % (settings.LOGIN_URL, request.path))
+    raise ERedirect('%s?next=%s' % (settings.LOGIN_URL, quote(request.path)))
 
 
 # Decorator to set cache age