Loading django/core/urlresolvers.py +2 −0 Original line number Diff line number Diff line Loading @@ -426,6 +426,8 @@ class RegexURLResolver(LocaleRegexProvider): unicode_kwargs = dict([(k, force_text(v)) for (k, v) in kwargs.items()]) candidate = (prefix_norm.replace('%', '%%') + result) % unicode_kwargs if re.search('^%s%s' % (prefix_norm, pattern), candidate, re.UNICODE): if candidate.startswith('//'): candidate = '/%%2F%s' % candidate[2:] return candidate # lookup_view can be URL label, or dotted path, or callable, Any of # these can be passed in at the top, but callables are not friendly in Loading docs/releases/1.4.14.txt +13 −0 Original line number Diff line number Diff line Loading @@ -5,3 +5,16 @@ Django 1.4.14 release notes *Under development* Django 1.4.14 fixes several security issues in 1.4.13. :func:`~django.core.urlresolvers.reverse()` could generate URLs pointing to other hosts ======================================================================================= In certain situations, URL reversing could generate scheme-relative URLs (URLs starting with two slashes), which could unexpectedly redirect a user to a different host. An attacker could exploit this, for example, by redirecting users to a phishing site designed to ask for user's passwords. To remedy this, URL reversing now ensures that no URL starts with two slashes (//), replacing the second slash with its URL encoded counterpart (%2F). This approach ensures that semantics stay the same, while making the URL relative to the domain and not to the scheme. docs/releases/1.5.9.txt +13 −0 Original line number Diff line number Diff line Loading @@ -5,3 +5,16 @@ Django 1.5.9 release notes *Under development* Django 1.5.9 fixes several security issues in 1.5.8. :func:`~django.core.urlresolvers.reverse()` could generate URLs pointing to other hosts ======================================================================================= In certain situations, URL reversing could generate scheme-relative URLs (URLs starting with two slashes), which could unexpectedly redirect a user to a different host. An attacker could exploit this, for example, by redirecting users to a phishing site designed to ask for user's passwords. To remedy this, URL reversing now ensures that no URL starts with two slashes (//), replacing the second slash with its URL encoded counterpart (%2F). This approach ensures that semantics stay the same, while making the URL relative to the domain and not to the scheme. tests/regressiontests/urlpatterns_reverse/tests.py +3 −0 Original line number Diff line number Diff line Loading @@ -143,6 +143,9 @@ test_data = ( ('defaults', '/defaults_view2/3/', [], {'arg1': 3, 'arg2': 2}), ('defaults', NoReverseMatch, [], {'arg1': 3, 'arg2': 3}), ('defaults', NoReverseMatch, [], {'arg2': 1}), # Security tests ('security', '/%2Fexample.com/security/', ['/example.com'], {}), ) class NoURLPatternsTests(TestCase): Loading tests/regressiontests/urlpatterns_reverse/urls.py +3 −0 Original line number Diff line number Diff line Loading @@ -71,4 +71,7 @@ urlpatterns = patterns('', (r'defaults_view2/(?P<arg1>\d+)/', 'defaults_view', {'arg2': 2}, 'defaults'), url('^includes/', include(other_patterns)), # Security tests url('(.+)/security/$', empty_view, name='security'), ) Loading
django/core/urlresolvers.py +2 −0 Original line number Diff line number Diff line Loading @@ -426,6 +426,8 @@ class RegexURLResolver(LocaleRegexProvider): unicode_kwargs = dict([(k, force_text(v)) for (k, v) in kwargs.items()]) candidate = (prefix_norm.replace('%', '%%') + result) % unicode_kwargs if re.search('^%s%s' % (prefix_norm, pattern), candidate, re.UNICODE): if candidate.startswith('//'): candidate = '/%%2F%s' % candidate[2:] return candidate # lookup_view can be URL label, or dotted path, or callable, Any of # these can be passed in at the top, but callables are not friendly in Loading
docs/releases/1.4.14.txt +13 −0 Original line number Diff line number Diff line Loading @@ -5,3 +5,16 @@ Django 1.4.14 release notes *Under development* Django 1.4.14 fixes several security issues in 1.4.13. :func:`~django.core.urlresolvers.reverse()` could generate URLs pointing to other hosts ======================================================================================= In certain situations, URL reversing could generate scheme-relative URLs (URLs starting with two slashes), which could unexpectedly redirect a user to a different host. An attacker could exploit this, for example, by redirecting users to a phishing site designed to ask for user's passwords. To remedy this, URL reversing now ensures that no URL starts with two slashes (//), replacing the second slash with its URL encoded counterpart (%2F). This approach ensures that semantics stay the same, while making the URL relative to the domain and not to the scheme.
docs/releases/1.5.9.txt +13 −0 Original line number Diff line number Diff line Loading @@ -5,3 +5,16 @@ Django 1.5.9 release notes *Under development* Django 1.5.9 fixes several security issues in 1.5.8. :func:`~django.core.urlresolvers.reverse()` could generate URLs pointing to other hosts ======================================================================================= In certain situations, URL reversing could generate scheme-relative URLs (URLs starting with two slashes), which could unexpectedly redirect a user to a different host. An attacker could exploit this, for example, by redirecting users to a phishing site designed to ask for user's passwords. To remedy this, URL reversing now ensures that no URL starts with two slashes (//), replacing the second slash with its URL encoded counterpart (%2F). This approach ensures that semantics stay the same, while making the URL relative to the domain and not to the scheme.
tests/regressiontests/urlpatterns_reverse/tests.py +3 −0 Original line number Diff line number Diff line Loading @@ -143,6 +143,9 @@ test_data = ( ('defaults', '/defaults_view2/3/', [], {'arg1': 3, 'arg2': 2}), ('defaults', NoReverseMatch, [], {'arg1': 3, 'arg2': 3}), ('defaults', NoReverseMatch, [], {'arg2': 1}), # Security tests ('security', '/%2Fexample.com/security/', ['/example.com'], {}), ) class NoURLPatternsTests(TestCase): Loading
tests/regressiontests/urlpatterns_reverse/urls.py +3 −0 Original line number Diff line number Diff line Loading @@ -71,4 +71,7 @@ urlpatterns = patterns('', (r'defaults_view2/(?P<arg1>\d+)/', 'defaults_view', {'arg2': 2}, 'defaults'), url('^includes/', include(other_patterns)), # Security tests url('(.+)/security/$', empty_view, name='security'), )
