Loading django/utils/http.py +6 −2 Original line number Diff line number Diff line Loading @@ -290,8 +290,12 @@ def is_safe_url(url, host=None): url = url.strip() if not url: return False # Chrome treats \ completely as / url = url.replace('\\', '/') # Chrome treats \ completely as / in paths but it could be part of some # basic auth credentials so we need to check both URLs. return _is_safe_url(url, host) and _is_safe_url(url.replace('\\', '/'), host) def _is_safe_url(url, host): # Chrome considers any URL with more than two slashes to be absolute, but # urlparse is not so flexible. Treat any url with three slashes as unsafe. if url.startswith('///'): Loading docs/releases/1.8.10.txt +16 −0 Original line number Diff line number Diff line Loading @@ -6,6 +6,22 @@ Django 1.8.10 release notes Django 1.8.10 fixes two security issues and several bugs in 1.8.9. CVE-2016-2512: Malicious redirect and possible XSS attack via user-supplied redirect URLs containing basic auth =============================================================================================================== Django relies on user input in some cases (e.g. :func:`django.contrib.auth.views.login` and :doc:`i18n </topics/i18n/index>`) to redirect the user to an "on success" URL. The security check for these redirects (namely ``django.utils.http.is_safe_url()``) considered some URLs with basic authentication credentials "safe" when they shouldn't be. For example, a URL like ``http://mysite.example.com\@attacker.com`` would be considered safe if the request's host is ``http://mysite.example.com``, but redirecting to this URL sends the user to ``attacker.com``. Also, if a developer relies on ``is_safe_url()`` to provide safe redirect targets and puts such a URL into a link, they could suffer from an XSS attack. Bugfixes ======== Loading docs/releases/1.9.3.txt +16 −0 Original line number Diff line number Diff line Loading @@ -6,6 +6,22 @@ Django 1.9.3 release notes Django 1.9.3 fixes two security issues and several bugs in 1.9.2. CVE-2016-2512: Malicious redirect and possible XSS attack via user-supplied redirect URLs containing basic auth =============================================================================================================== Django relies on user input in some cases (e.g. :func:`django.contrib.auth.views.login` and :doc:`i18n </topics/i18n/index>`) to redirect the user to an "on success" URL. The security check for these redirects (namely ``django.utils.http.is_safe_url()``) considered some URLs with basic authentication credentials "safe" when they shouldn't be. For example, a URL like ``http://mysite.example.com\@attacker.com`` would be considered safe if the request's host is ``http://mysite.example.com``, but redirecting to this URL sends the user to ``attacker.com``. Also, if a developer relies on ``is_safe_url()`` to provide safe redirect targets and puts such a URL into a link, they could suffer from an XSS attack. Bugfixes ======== Loading tests/utils_tests/test_http.py +12 −0 Original line number Diff line number Diff line Loading @@ -97,6 +97,11 @@ class TestUtilsHttp(unittest.TestCase): 'javascript:alert("XSS")', '\njavascript:alert(x)', '\x08//example.com', r'http://otherserver\@example.com', r'http:\\testserver\@example.com', r'http://testserver\me:pass@example.com', r'http://testserver\@example.com', r'http:\\testserver\confirm\me@example.com', '\n'): self.assertFalse(http.is_safe_url(bad_url, host='testserver'), "%s should be blocked" % bad_url) for good_url in ('/view/?param=http://example.com', Loading @@ -106,8 +111,15 @@ class TestUtilsHttp(unittest.TestCase): 'https://testserver/', 'HTTPS://testserver/', '//testserver/', 'http://testserver/confirm?email=me@example.com', '/url%20with%20spaces/'): self.assertTrue(http.is_safe_url(good_url, host='testserver'), "%s should be allowed" % good_url) # Valid basic auth credentials are allowed. self.assertTrue(http.is_safe_url(r'http://user:pass@testserver/', host='user:pass@testserver')) # A path without host is allowed. self.assertTrue(http.is_safe_url('/confirm/me@example.com')) # Basic auth without host is not allowed. self.assertFalse(http.is_safe_url(r'http://testserver\@example.com')) def test_urlsafe_base64_roundtrip(self): bytestring = b'foo' Loading Loading
django/utils/http.py +6 −2 Original line number Diff line number Diff line Loading @@ -290,8 +290,12 @@ def is_safe_url(url, host=None): url = url.strip() if not url: return False # Chrome treats \ completely as / url = url.replace('\\', '/') # Chrome treats \ completely as / in paths but it could be part of some # basic auth credentials so we need to check both URLs. return _is_safe_url(url, host) and _is_safe_url(url.replace('\\', '/'), host) def _is_safe_url(url, host): # Chrome considers any URL with more than two slashes to be absolute, but # urlparse is not so flexible. Treat any url with three slashes as unsafe. if url.startswith('///'): Loading
docs/releases/1.8.10.txt +16 −0 Original line number Diff line number Diff line Loading @@ -6,6 +6,22 @@ Django 1.8.10 release notes Django 1.8.10 fixes two security issues and several bugs in 1.8.9. CVE-2016-2512: Malicious redirect and possible XSS attack via user-supplied redirect URLs containing basic auth =============================================================================================================== Django relies on user input in some cases (e.g. :func:`django.contrib.auth.views.login` and :doc:`i18n </topics/i18n/index>`) to redirect the user to an "on success" URL. The security check for these redirects (namely ``django.utils.http.is_safe_url()``) considered some URLs with basic authentication credentials "safe" when they shouldn't be. For example, a URL like ``http://mysite.example.com\@attacker.com`` would be considered safe if the request's host is ``http://mysite.example.com``, but redirecting to this URL sends the user to ``attacker.com``. Also, if a developer relies on ``is_safe_url()`` to provide safe redirect targets and puts such a URL into a link, they could suffer from an XSS attack. Bugfixes ======== Loading
docs/releases/1.9.3.txt +16 −0 Original line number Diff line number Diff line Loading @@ -6,6 +6,22 @@ Django 1.9.3 release notes Django 1.9.3 fixes two security issues and several bugs in 1.9.2. CVE-2016-2512: Malicious redirect and possible XSS attack via user-supplied redirect URLs containing basic auth =============================================================================================================== Django relies on user input in some cases (e.g. :func:`django.contrib.auth.views.login` and :doc:`i18n </topics/i18n/index>`) to redirect the user to an "on success" URL. The security check for these redirects (namely ``django.utils.http.is_safe_url()``) considered some URLs with basic authentication credentials "safe" when they shouldn't be. For example, a URL like ``http://mysite.example.com\@attacker.com`` would be considered safe if the request's host is ``http://mysite.example.com``, but redirecting to this URL sends the user to ``attacker.com``. Also, if a developer relies on ``is_safe_url()`` to provide safe redirect targets and puts such a URL into a link, they could suffer from an XSS attack. Bugfixes ======== Loading
tests/utils_tests/test_http.py +12 −0 Original line number Diff line number Diff line Loading @@ -97,6 +97,11 @@ class TestUtilsHttp(unittest.TestCase): 'javascript:alert("XSS")', '\njavascript:alert(x)', '\x08//example.com', r'http://otherserver\@example.com', r'http:\\testserver\@example.com', r'http://testserver\me:pass@example.com', r'http://testserver\@example.com', r'http:\\testserver\confirm\me@example.com', '\n'): self.assertFalse(http.is_safe_url(bad_url, host='testserver'), "%s should be blocked" % bad_url) for good_url in ('/view/?param=http://example.com', Loading @@ -106,8 +111,15 @@ class TestUtilsHttp(unittest.TestCase): 'https://testserver/', 'HTTPS://testserver/', '//testserver/', 'http://testserver/confirm?email=me@example.com', '/url%20with%20spaces/'): self.assertTrue(http.is_safe_url(good_url, host='testserver'), "%s should be allowed" % good_url) # Valid basic auth credentials are allowed. self.assertTrue(http.is_safe_url(r'http://user:pass@testserver/', host='user:pass@testserver')) # A path without host is allowed. self.assertTrue(http.is_safe_url('/confirm/me@example.com')) # Basic auth without host is not allowed. self.assertFalse(http.is_safe_url(r'http://testserver\@example.com')) def test_urlsafe_base64_roundtrip(self): bytestring = b'foo' Loading
