mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-10-31 09:41:08 +00:00
Code Issues 32 Releases Wiki Activity

Fixed #27912, CVE-2017-7233 -- Fixed is_safe_url() with numeric URLs.

Browse Source 
This is a security fix.
This commit is contained in:
Tim Graham
2017-03-14 10:46:53 -04:00
parent a1f948b468
commit 5ea48a70af
5 changed files with 93 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
docs/releases/1.8.18.txt
View File

@@ -6,6 +6,18 @@ Django 1.8.18 release notes
Django 1.8.18 fixes two security issues in 1.8.17.
CVE-2017-7233: Open redirect and possible XSS attack via user-supplied numeric redirect URLs
============================================================================================
Django relies on user input in some cases (e.g.
:func:`django.contrib.auth.views.login` and :doc:`i18n </topics/i18n/index>`)
to redirect the user to an "on success" URL. The security check for these
redirects (namely ``django.utils.http.is_safe_url()``) considered some numeric
URLs (e.g. ``http:999999999``) "safe" when they shouldn't be.
Also, if a developer relies on ``is_safe_url()`` to provide safe redirect
targets and puts such a URL into a link, they could suffer from an XSS attack.
CVE-2017-7234: Open redirect vulnerability in ``django.views.static.serve()``
=============================================================================