A RetroSearch Logo

Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Search Query:

Showing content from https://github.com/django/django/commit/4a6b945dffe8d10e7cec107d93e6efaebfbded29 below:

[1.8.x] Fixed CVE-2017-7234 -- Fixed open redirect vulnerability in v… · django/django@4a6b945 · GitHub

File tree Expand file treeCollapse file tree 2 files changed

+15

-18

lines changed

Filter options

Expand file treeCollapse file tree 2 files changed

+15

-18

lines changed Original file line number Diff line number Diff line change

@@ -12,9 +12,9 @@

 12 12 13 13

from django.http import (

 14 14

FileResponse, Http404, HttpResponse, HttpResponseNotModified,

 15 -

HttpResponseRedirect,

 16 15

)

 17 16

from django.template import Context, Engine, TemplateDoesNotExist, loader

 17 +

from django.utils._os import safe_join

 18 18

from django.utils.http import http_date, parse_http_date

 19 19

from django.utils.six.moves.urllib.parse import unquote

 20 20

from django.utils.translation import ugettext as _, ugettext_lazy

@@ -36,25 +36,11 @@ def serve(request, path, document_root=None, show_indexes=False):

 36 36

but if you'd like to override it, you can create a template called

 37 37

``static/directory_index.html``.

 38 38

"""

 39 -

path = posixpath.normpath(unquote(path))

 40 -

path = path.lstrip('/')

 41 -

newpath = ''

 42 -

for part in path.split('/'):

 43 -

if not part:

 44 -

# Strip empty path components.

 45 -

continue

 46 -

drive, part = os.path.splitdrive(part)

 47 -

head, part = os.path.split(part)

 48 -

if part in (os.curdir, os.pardir):

 49 -

# Strip '.' and '..' in path.

 50 -

continue

 51 -

newpath = os.path.join(newpath, part).replace('\\', '/')

 52 -

if newpath and path != newpath:

 53 -

return HttpResponseRedirect(newpath)

 54 -

fullpath = os.path.join(document_root, newpath)

 39 +

path = posixpath.normpath(unquote(path)).lstrip('/')

 40 +

fullpath = safe_join(document_root, path)

 55 41

if os.path.isdir(fullpath):

 56 42

if show_indexes:

 57 -

return directory_index(newpath, fullpath)

 43 +

return directory_index(path, fullpath)

 58 44

raise Http404(_("Directory indexes are not allowed here."))

 59 45

if not os.path.exists(fullpath):

 60 46

raise Http404(_('"%(path)s" does not exist') % {'path': fullpath})

 Original file line number Diff line number Diff line change

@@ -5,3 +5,14 @@ Django 1.8.18 release notes

 5 5

*April 4, 2017*

 6 6 7 7

Django 1.8.18 fixes two security issues in 1.8.17.

 8 + 9 +

CVE-2017-7234: Open redirect vulnerability in ``django.views.static.serve()``

 10 +

=============================================================================

 11 + 12 +

A maliciously crafted URL to a Django site using the

 13 +

:func:`~django.views.static.serve` view could redirect to any other domain. The

 14 +

view no longer does any redirects as they don't provide any known, useful

 15 +

functionality.

 16 + 17 +

Note, however, that this view has always carried a warning that it is not

 18 +

hardened for production use and should be used only as a development aid.

You can’t perform that action at this time.

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4