[1.6.x] Fixed #10491 -- Allowed passing lazy objects to HttpResponseRedirect.

Thanks liangent for the report. Backport of 3c45fb8589 from master
2025-10-26 15:16:09 +00:00 · 2013-04-20 05:20:01 +02:00
parent bf132bcb8d
commit badca4716f
2 changed files with 15 additions and 3 deletions
--- a/django/http/response.py
+++ b/django/http/response.py
@@ -15,7 +15,7 @@ from django.core import signing
 from django.core.exceptions import DisallowedRedirect
 from django.http.cookie import SimpleCookie
 from django.utils import six, timezone
-from django.utils.encoding import force_bytes, iri_to_uri
+from django.utils.encoding import force_bytes, force_text, iri_to_uri
 from django.utils.http import cookie_date
 from django.utils.six.moves import map

@@ -454,7 +454,7 @@ class HttpResponseRedirectBase(HttpResponse):
    allowed_schemes = ['http', 'https', 'ftp']

    def __init__(self, redirect_to, *args, **kwargs):
-        parsed = urlparse(redirect_to)
+        parsed = urlparse(force_text(redirect_to))
        if parsed.scheme and parsed.scheme not in self.allowed_schemes:
            raise DisallowedRedirect("Unsafe redirect to URL with protocol '%s'" % parsed.scheme)
        super(HttpResponseRedirectBase, self).__init__(*args, **kwargs)