+50
-1
lines changedFilter options
+50
-1
lines changed Original file line number Diff line number Diff line change
@@ -442,7 +442,11 @@ def _reverse_with_prefix(self, lookup_view, _prefix, *args, **kwargs):
442 442
candidate_pat = prefix_norm.replace('%', '%%') + result
443 443
if re.search('^%s%s' % (prefix_norm, pattern), candidate_pat % candidate_subs, re.UNICODE):
444 444
candidate_subs = dict((k, urlquote(v)) for (k, v) in candidate_subs.items())
445 -
return candidate_pat % candidate_subs
445 +
url = candidate_pat % candidate_subs
446 +
# Don't allow construction of scheme relative urls.
447 +
if url.startswith('//'):
448 +
url = '/%%2F%s' % url[2:]
449 +
return url
446 450
# lookup_view can be URL label, or dotted path, or callable, Any of
447 451
# these can be passed in at the top, but callables are not friendly in
448 452
# error messages.
@@ -5,3 +5,16 @@ Django 1.4.14 release notes
5 5
*Under development*
6 6 7 7
Django 1.4.14 fixes several security issues in 1.4.13.
8 + 9 +
:func:`~django.core.urlresolvers.reverse()` could generate URLs pointing to other hosts
10 +
=======================================================================================
11 + 12 +
In certain situations, URL reversing could generate scheme-relative URLs (URLs
13 +
starting with two slashes), which could unexpectedly redirect a user to a
14 +
different host. An attacker could exploit this, for example, by redirecting
15 +
users to a phishing site designed to ask for user's passwords.
16 + 17 +
To remedy this, URL reversing now ensures that no URL starts with two slashes
18 +
(//), replacing the second slash with its URL encoded counterpart (%2F). This
19 +
approach ensures that semantics stay the same, while making the URL relative to
20 +
the domain and not to the scheme.
Original file line number Diff line number Diff line change
@@ -5,3 +5,16 @@ Django 1.5.9 release notes
5 5
*Under development*
6 6 7 7
Django 1.5.9 fixes several security issues in 1.5.8.
8 + 9 +
:func:`~django.core.urlresolvers.reverse()` could generate URLs pointing to other hosts
10 +
=======================================================================================
11 + 12 +
In certain situations, URL reversing could generate scheme-relative URLs (URLs
13 +
starting with two slashes), which could unexpectedly redirect a user to a
14 +
different host. An attacker could exploit this, for example, by redirecting
15 +
users to a phishing site designed to ask for user's passwords.
16 + 17 +
To remedy this, URL reversing now ensures that no URL starts with two slashes
18 +
(//), replacing the second slash with its URL encoded counterpart (%2F). This
19 +
approach ensures that semantics stay the same, while making the URL relative to
20 +
the domain and not to the scheme.
Original file line number Diff line number Diff line change
@@ -6,6 +6,19 @@ Django 1.6.6 release notes
6 6 7 7
Django 1.6.6 fixes several security issues and bugs in 1.6.5.
8 8 9 +
:func:`~django.core.urlresolvers.reverse()` could generate URLs pointing to other hosts
10 +
=======================================================================================
11 + 12 +
In certain situations, URL reversing could generate scheme-relative URLs (URLs
13 +
starting with two slashes), which could unexpectedly redirect a user to a
14 +
different host. An attacker could exploit this, for example, by redirecting
15 +
users to a phishing site designed to ask for user's passwords.
16 + 17 +
To remedy this, URL reversing now ensures that no URL starts with two slashes
18 +
(//), replacing the second slash with its URL encoded counterpart (%2F). This
19 +
approach ensures that semantics stay the same, while making the URL relative to
20 +
the domain and not to the scheme.
21 + 9 22
Bugfixes
10 23
========
11 24
@@ -151,6 +151,9 @@
151 151
('defaults', '/defaults_view2/3/', [], {'arg1': 3, 'arg2': 2}),
152 152
('defaults', NoReverseMatch, [], {'arg1': 3, 'arg2': 3}),
153 153
('defaults', NoReverseMatch, [], {'arg2': 1}),
154 + 155 +
# Security tests
156 +
('security', '/%2Fexample.com/security/', ['/example.com'], {}),
154 157
)
155 158 156 159
@@ -66,4 +66,7 @@
66 66
(r'defaults_view2/(?P<arg1>\d+)/', 'defaults_view', {'arg2': 2}, 'defaults'),
67 67 68 68
url('^includes/', include(other_patterns)),
69 + 70 +
# Security tests
71 +
url('(.+)/security/$', empty_view, name='security'),
69 72
)
You can’t perform that action at this time.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4