RetroSearch Browse

Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Showing content from https://github.com/django/django/commit/5510f070711540aaa8d3707776cd77494e688ef9 below:

[1.6.x] Made is_safe_url() reject URLs that start with control charac… · django/django@5510f07 · GitHub

File tree Expand file treeCollapse file tree 4 files changed

+51

-5

lines changed

Filter options

Expand file treeCollapse file tree 4 files changed

+51

-5

lines changed Original file line number Diff line number Diff line change


 @@ -5,7 +5,7 @@

5 5


 import datetime

6 6


 import re

7 7


 import sys

8 - 8

+
 import unicodedata

9 9


 from binascii import Error as BinasciiError

10 10


 from email.utils import formatdate

11 11


 @@ -254,9 +254,10 @@ def is_safe_url(url, host=None):

254 254 255 255


  Always returns ``False`` on an empty url.

256 256

"""

257

+
 if url is not None:

258

+
 url = url.strip()

257 259


 if not url:

258 260


 return False

259

-
 url = url.strip()

260 261


 # Chrome treats \ completely as /

261 262


 url = url.replace('\\', '/')

262 263


 # Chrome considers any URL with more than two slashes to be absolute, but


 @@ -270,5 +271,10 @@ def is_safe_url(url, host=None):

270 271


 # allow this syntax.

271 272


 if not url_info.netloc and url_info.scheme:

272 273


 return False

273

-
 return (not url_info.netloc or url_info.netloc == host) and \

274

-
 (not url_info.scheme or url_info.scheme in ['http', 'https'])

274

+
 # Forbid URLs that start with control characters. Some browsers (like

275

+
 # Chrome) ignore quite a few control characters at the start of a

276

+
 # URL and might consider the URL as scheme relative.

277

+
 if unicodedata.category(url[0])[0] == 'C':

278

+
 return False

279

+
 return ((not url_info.netloc or url_info.netloc == host) and

280

+
 (not url_info.scheme or url_info.scheme in ['http', 'https']))

Original file line number Diff line number Diff line change


 @@ -5,3 +5,22 @@ Django 1.4.20 release notes

5 5


 *March 18, 2015*

6 6 7 7


 Django 1.4.20 fixes one security issue in 1.4.19.

8 + 9

+
 Mitigated possible XSS attack via user-supplied redirect URLs

10

+
 =============================================================

11 + 12

+
 Django relies on user input in some cases (e.g.

13

+
 :func:`django.contrib.auth.views.login` and :doc:`i18n </topics/i18n/index>`)

14

+
 to redirect the user to an "on success" URL. The security checks for these

15

+
 redirects (namely ``django.utils.http.is_safe_url()``) accepted URLs with

16

+
 leading control characters and so considered URLs like ``\x08javascript:...``

17

+
 safe. This issue doesn't affect Django currently, since we only put this URL

18

+
 into the ``Location`` response header and browsers seem to ignore JavaScript

19

+
 there. Browsers we tested also treat URLs prefixed with control characters such

20

+
 as ``%08//example.com`` as relative paths so redirection to an unsafe target

21

+
 isn't a problem either.

22 + 23

+
 However, if a developer relies on ``is_safe_url()`` to

24

+
 provide safe redirect targets and puts such a URL into a link, they could

25

+
 suffer from an XSS attack as some browsers such as Google Chrome ignore control

26

+
 characters at the start of a URL in an anchor ``href``.

Original file line number Diff line number Diff line change


 @@ -22,3 +22,22 @@ it detects the length of the string it's processing increases. Remember that

22 22


 absolutely NO guarantee is provided about the results of ``strip_tags()`` being

23 23


 HTML safe. So NEVER mark safe the result of a ``strip_tags()`` call without

24 24


 escaping it first, for example with :func:`~django.utils.html.escape`.

25 + 26

+
 Mitigated possible XSS attack via user-supplied redirect URLs

27

+
 =============================================================

28 + 29

+
 Django relies on user input in some cases (e.g.

30

+
 :func:`django.contrib.auth.views.login` and :doc:`i18n </topics/i18n/index>`)

31

+
 to redirect the user to an "on success" URL. The security checks for these

32

+
 redirects (namely ``django.utils.http.is_safe_url()``) accepted URLs with

33

+
 leading control characters and so considered URLs like ``\x08javascript:...``

34

+
 safe. This issue doesn't affect Django currently, since we only put this URL

35

+
 into the ``Location`` response header and browsers seem to ignore JavaScript

36

+
 there. Browsers we tested also treat URLs prefixed with control characters such

37

+
 as ``%08//example.com`` as relative paths so redirection to an unsafe target

38

+
 isn't a problem either.

39 + 40

+
 However, if a developer relies on ``is_safe_url()`` to

41

+
 provide safe redirect targets and puts such a URL into a link, they could

42

+
 suffer from an XSS attack as some browsers such as Google Chrome ignore control

43

+
 characters at the start of a URL in an anchor ``href``.

Original file line number Diff line number Diff line change


 @@ -110,7 +110,9 @@ def test_is_safe_url(self):

110 110


 'http:\/example.com',

111 111


 'http:/\example.com',

112 112


 'javascript:alert("XSS")',

113

-
 '\njavascript:alert(x)'):

113

+
 '\njavascript:alert(x)',

114

+
 '\x08//example.com',

115

+
 '\n'):

114 116


 self.assertFalse(http.is_safe_url(bad_url, host='testserver'), "%s should be blocked" % bad_url)

115 117


 for good_url in ('/view/?param=http://example.com',

116 118


 '/view/?param=https://example.com',

You can’t perform that action at this time.

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4