@@ -290,8 +290,12 @@ def is_safe_url(url, host=None):

url = url.strip()

if not url:

return False

# Chrome treats \ completely as /

url = url.replace('\\', '/')

# Chrome treats \ completely as / in paths but it could be part of some

# basic auth credentials so we need to check both URLs.

return _is_safe_url(url, host) and _is_safe_url(url.replace('\\', '/'), host)

def _is_safe_url(url, host):

# Chrome considers any URL with more than two slashes to be absolute, but

# urlparse is not so flexible. Treat any url with three slashes as unsafe.

if url.startswith('///'):

@@ -6,6 +6,22 @@ Django 1.8.10 release notes

Django 1.8.10 fixes two security issues and several bugs in 1.8.9.

CVE-2016-2512: Malicious redirect and possible XSS attack via user-supplied redirect URLs containing basic auth

===============================================================================================================

Django relies on user input in some cases (e.g.

:func:`django.contrib.auth.views.login` and :doc:`i18n </topics/i18n/index>`)

to redirect the user to an "on success" URL. The security check for these

redirects (namely ``django.utils.http.is_safe_url()``) considered some URLs

with basic authentication credentials "safe" when they shouldn't be.

For example, a URL like ``http://mysite.example.com\@attacker.com`` would be

considered safe if the request's host is ``http://mysite.example.com``, but

redirecting to this URL sends the user to ``attacker.com``.

Also, if a developer relies on ``is_safe_url()`` to provide safe redirect

targets and puts such a URL into a link, they could suffer from an XSS attack.

Bugfixes

========

@@ -6,6 +6,22 @@ Django 1.9.3 release notes

Django 1.9.3 fixes two security issues and several bugs in 1.9.2.

CVE-2016-2512: Malicious redirect and possible XSS attack via user-supplied redirect URLs containing basic auth

===============================================================================================================

Django relies on user input in some cases (e.g.

:func:`django.contrib.auth.views.login` and :doc:`i18n </topics/i18n/index>`)

to redirect the user to an "on success" URL. The security check for these

redirects (namely ``django.utils.http.is_safe_url()``) considered some URLs

with basic authentication credentials "safe" when they shouldn't be.

For example, a URL like ``http://mysite.example.com\@attacker.com`` would be

considered safe if the request's host is ``http://mysite.example.com``, but

redirecting to this URL sends the user to ``attacker.com``.

Also, if a developer relies on ``is_safe_url()`` to provide safe redirect

targets and puts such a URL into a link, they could suffer from an XSS attack.

Bugfixes

========

@@ -92,6 +92,11 @@ def test_is_safe_url(self):

'javascript:alert("XSS")',

'\njavascript:alert(x)',

'\x08//example.com',

r'http://otherserver\@example.com',

r'http:\\testserver\@example.com',

r'http://testserver\me:pass@example.com',

r'http://testserver\@example.com',

r'http:\\testserver\confirm\me@example.com',

'\n'):

self.assertFalse(http.is_safe_url(bad_url, host='testserver'), "%s should be blocked" % bad_url)

for good_url in ('/view/?param=http://example.com',

@@ -101,8 +106,15 @@ def test_is_safe_url(self):

'https://testserver/',

'HTTPS://testserver/',

'//testserver/',

'http://testserver/confirm?email=me@example.com',

'/url%20with%20spaces/'):

self.assertTrue(http.is_safe_url(good_url, host='testserver'), "%s should be allowed" % good_url)

# Valid basic auth credentials are allowed.

self.assertTrue(http.is_safe_url(r'http://user:pass@testserver/', host='user:pass@testserver'))

# A path without host is allowed.

self.assertTrue(http.is_safe_url('/confirm/me@example.com'))

# Basic auth without host is not allowed.

self.assertFalse(http.is_safe_url(r'http://testserver\@example.com'))

def test_urlsafe_base64_roundtrip(self):

bytestring = b'foo'