+34
-0
lines changedFilter options
+34
-0
lines changed Original file line number Diff line number Diff line change
@@ -426,6 +426,8 @@ def _reverse_with_prefix(self, lookup_view, _prefix, *args, **kwargs):
426 426
unicode_kwargs = dict([(k, force_text(v)) for (k, v) in kwargs.items()])
427 427
candidate = (prefix_norm.replace('%', '%%') + result) % unicode_kwargs
428 428
if re.search('^%s%s' % (prefix_norm, pattern), candidate, re.UNICODE):
429 +
if candidate.startswith('//'):
430 +
candidate = '/%%2F%s' % candidate[2:]
429 431
return candidate
430 432
# lookup_view can be URL label, or dotted path, or callable, Any of
431 433
# these can be passed in at the top, but callables are not friendly in
@@ -5,3 +5,16 @@ Django 1.4.14 release notes
5 5
*Under development*
6 6 7 7
Django 1.4.14 fixes several security issues in 1.4.13.
8 + 9 +
:func:`~django.core.urlresolvers.reverse()` could generate URLs pointing to other hosts
10 +
=======================================================================================
11 + 12 +
In certain situations, URL reversing could generate scheme-relative URLs (URLs
13 +
starting with two slashes), which could unexpectedly redirect a user to a
14 +
different host. An attacker could exploit this, for example, by redirecting
15 +
users to a phishing site designed to ask for user's passwords.
16 + 17 +
To remedy this, URL reversing now ensures that no URL starts with two slashes
18 +
(//), replacing the second slash with its URL encoded counterpart (%2F). This
19 +
approach ensures that semantics stay the same, while making the URL relative to
20 +
the domain and not to the scheme.
Original file line number Diff line number Diff line change
@@ -5,3 +5,16 @@ Django 1.5.9 release notes
5 5
*Under development*
6 6 7 7
Django 1.5.9 fixes several security issues in 1.5.8.
8 + 9 +
:func:`~django.core.urlresolvers.reverse()` could generate URLs pointing to other hosts
10 +
=======================================================================================
11 + 12 +
In certain situations, URL reversing could generate scheme-relative URLs (URLs
13 +
starting with two slashes), which could unexpectedly redirect a user to a
14 +
different host. An attacker could exploit this, for example, by redirecting
15 +
users to a phishing site designed to ask for user's passwords.
16 + 17 +
To remedy this, URL reversing now ensures that no URL starts with two slashes
18 +
(//), replacing the second slash with its URL encoded counterpart (%2F). This
19 +
approach ensures that semantics stay the same, while making the URL relative to
20 +
the domain and not to the scheme.
Original file line number Diff line number Diff line change
@@ -143,6 +143,9 @@
143 143
('defaults', '/defaults_view2/3/', [], {'arg1': 3, 'arg2': 2}),
144 144
('defaults', NoReverseMatch, [], {'arg1': 3, 'arg2': 3}),
145 145
('defaults', NoReverseMatch, [], {'arg2': 1}),
146 + 147 +
# Security tests
148 +
('security', '/%2Fexample.com/security/', ['/example.com'], {}),
146 149
)
147 150 148 151
class NoURLPatternsTests(TestCase):
@@ -71,4 +71,7 @@
71 71
(r'defaults_view2/(?P<arg1>\d+)/', 'defaults_view', {'arg2': 2}, 'defaults'),
72 72 73 73
url('^includes/', include(other_patterns)),
74 + 75 +
# Security tests
76 +
url('(.+)/security/$', empty_view, name='security'),
74 77
)
You can’t perform that action at this time.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4