mirror of
https://github.com/django/django.git
synced 2024-12-22 17:16:24 +00:00
Fixed CVE-2016-2512 -- Prevented spoofing is_safe_url() with basic auth.
This is a security fix.
This commit is contained in:
parent
f43291639b
commit
c5544d2892
@ -290,8 +290,12 @@ def is_safe_url(url, host=None):
|
||||
url = url.strip()
|
||||
if not url:
|
||||
return False
|
||||
# Chrome treats \ completely as /
|
||||
url = url.replace('\\', '/')
|
||||
# Chrome treats \ completely as / in paths but it could be part of some
|
||||
# basic auth credentials so we need to check both URLs.
|
||||
return _is_safe_url(url, host) and _is_safe_url(url.replace('\\', '/'), host)
|
||||
|
||||
|
||||
def _is_safe_url(url, host):
|
||||
# Chrome considers any URL with more than two slashes to be absolute, but
|
||||
# urlparse is not so flexible. Treat any url with three slashes as unsafe.
|
||||
if url.startswith('///'):
|
||||
|
@ -6,6 +6,22 @@ Django 1.8.10 release notes
|
||||
|
||||
Django 1.8.10 fixes two security issues and several bugs in 1.8.9.
|
||||
|
||||
CVE-2016-2512: Malicious redirect and possible XSS attack via user-supplied redirect URLs containing basic auth
|
||||
===============================================================================================================
|
||||
|
||||
Django relies on user input in some cases (e.g.
|
||||
:func:`django.contrib.auth.views.login` and :doc:`i18n </topics/i18n/index>`)
|
||||
to redirect the user to an "on success" URL. The security check for these
|
||||
redirects (namely ``django.utils.http.is_safe_url()``) considered some URLs
|
||||
with basic authentication credentials "safe" when they shouldn't be.
|
||||
|
||||
For example, a URL like ``http://mysite.example.com\@attacker.com`` would be
|
||||
considered safe if the request's host is ``http://mysite.example.com``, but
|
||||
redirecting to this URL sends the user to ``attacker.com``.
|
||||
|
||||
Also, if a developer relies on ``is_safe_url()`` to provide safe redirect
|
||||
targets and puts such a URL into a link, they could suffer from an XSS attack.
|
||||
|
||||
Bugfixes
|
||||
========
|
||||
|
||||
|
@ -6,6 +6,22 @@ Django 1.9.3 release notes
|
||||
|
||||
Django 1.9.3 fixes two security issues and several bugs in 1.9.2.
|
||||
|
||||
CVE-2016-2512: Malicious redirect and possible XSS attack via user-supplied redirect URLs containing basic auth
|
||||
===============================================================================================================
|
||||
|
||||
Django relies on user input in some cases (e.g.
|
||||
:func:`django.contrib.auth.views.login` and :doc:`i18n </topics/i18n/index>`)
|
||||
to redirect the user to an "on success" URL. The security check for these
|
||||
redirects (namely ``django.utils.http.is_safe_url()``) considered some URLs
|
||||
with basic authentication credentials "safe" when they shouldn't be.
|
||||
|
||||
For example, a URL like ``http://mysite.example.com\@attacker.com`` would be
|
||||
considered safe if the request's host is ``http://mysite.example.com``, but
|
||||
redirecting to this URL sends the user to ``attacker.com``.
|
||||
|
||||
Also, if a developer relies on ``is_safe_url()`` to provide safe redirect
|
||||
targets and puts such a URL into a link, they could suffer from an XSS attack.
|
||||
|
||||
Bugfixes
|
||||
========
|
||||
|
||||
|
@ -97,6 +97,11 @@ class TestUtilsHttp(unittest.TestCase):
|
||||
'javascript:alert("XSS")',
|
||||
'\njavascript:alert(x)',
|
||||
'\x08//example.com',
|
||||
r'http://otherserver\@example.com',
|
||||
r'http:\\testserver\@example.com',
|
||||
r'http://testserver\me:pass@example.com',
|
||||
r'http://testserver\@example.com',
|
||||
r'http:\\testserver\confirm\me@example.com',
|
||||
'\n'):
|
||||
self.assertFalse(http.is_safe_url(bad_url, host='testserver'), "%s should be blocked" % bad_url)
|
||||
for good_url in ('/view/?param=http://example.com',
|
||||
@ -106,8 +111,15 @@ class TestUtilsHttp(unittest.TestCase):
|
||||
'https://testserver/',
|
||||
'HTTPS://testserver/',
|
||||
'//testserver/',
|
||||
'http://testserver/confirm?email=me@example.com',
|
||||
'/url%20with%20spaces/'):
|
||||
self.assertTrue(http.is_safe_url(good_url, host='testserver'), "%s should be allowed" % good_url)
|
||||
# Valid basic auth credentials are allowed.
|
||||
self.assertTrue(http.is_safe_url(r'http://user:pass@testserver/', host='user:pass@testserver'))
|
||||
# A path without host is allowed.
|
||||
self.assertTrue(http.is_safe_url('/confirm/me@example.com'))
|
||||
# Basic auth without host is not allowed.
|
||||
self.assertFalse(http.is_safe_url(r'http://testserver\@example.com'))
|
||||
|
||||
def test_urlsafe_base64_roundtrip(self):
|
||||
bytestring = b'foo'
|
||||
|
Loading…
Reference in New Issue
Block a user