[1.7.x] Made is_safe_url() reject URLs that start with control characters.

This is a security fix; disclosure to follow shortly.
2025-10-31 09:41:08 +00:00 · 2015-03-09 20:05:13 -04:00
parent e63363f8e0
commit 2a4113dbd5
5 changed files with 68 additions and 3 deletions
--- a/django/utils/http.py
+++ b/django/utils/http.py
@@ -5,7 +5,7 @@ import calendar
 import datetime
 import re
 import sys
-
+import unicodedata
 from binascii import Error as BinasciiError
 from email.utils import formatdate

@@ -270,9 +270,10 @@ def is_safe_url(url, host=None):

    Always returns ``False`` on an empty url.
    """
+    if url is not None:
+        url = url.strip()
    if not url:
        return False
-    url = url.strip()
    # Chrome treats \ completely as /
    url = url.replace('\\', '/')
    # Chrome considers any URL with more than two slashes to be absolute, but
@@ -286,5 +287,10 @@ def is_safe_url(url, host=None):
    # allow this syntax.
    if not url_info.netloc and url_info.scheme:
        return False
+    # Forbid URLs that start with control characters. Some browsers (like
+    # Chrome) ignore quite a few control characters at the start of a
+    # URL and might consider the URL as scheme relative.
+    if unicodedata.category(url[0])[0] == 'C':
+        return False
    return ((not url_info.netloc or url_info.netloc == host) and
            (not url_info.scheme or url_info.scheme in ['http', 'https']))