Merge branch '6.1.x'

Closes gh-13483

Author: jzheaux

web/src/main/java/org/springframework/security/web/savedrequest/DefaultSavedRequest.java

@@ -37,6 +37,7 @@
 import org.springframework.security.web.util.UrlUtils;
 import org.springframework.util.Assert;
 import org.springframework.util.ObjectUtils;
+import org.springframework.web.util.UriComponentsBuilder;
 
 /**
  * Represents central information from a {@code HttpServletRequest}.
@@ -371,10 +372,8 @@ private static String createQueryString(String queryString, String matchingReque
 		if (queryString == null || queryString.length() == 0) {
 			return matchingRequestParameterName;
 		}
-		if (queryString.endsWith("&")) {
-			return queryString + matchingRequestParameterName;
-		}
-		return queryString + "&" + matchingRequestParameterName;
+		return UriComponentsBuilder.newInstance().query(queryString).replaceQueryParam(matchingRequestParameterName)
+				.queryParam(matchingRequestParameterName).build().getQuery();
 	}
 
 	/**

web/src/test/java/org/springframework/security/web/savedrequest/DefaultSavedRequestTests.java

@@ -122,4 +122,14 @@ public void getRedirectUrlWhenQueryDoesNotEndAmpersandAndMatchingRequestParamete
 		assertThat(new URL(savedRequest.getRedirectUrl())).hasQuery("foo=bar&success");
 	}
 
+	// gh-13438
+	@Test
+	public void getRedirectUrlWhenQueryAlreadyHasSuccessThenDoesNotAdd() throws Exception {
+		MockHttpServletRequest request = new MockHttpServletRequest();
+		request.setQueryString("foo=bar&success");
+		DefaultSavedRequest savedRequest = new DefaultSavedRequest(request, new MockPortResolver(8080, 8443),
+				"success");
+		assertThat(savedRequest.getRedirectUrl()).contains("foo=bar&success");
+	}
+
 }