[Python-modules-commits] [python-django] 04/10: CVE-2016-2512: Prevented spoofing is_safe_url() with basic auth
Luke Faraone
lfaraone at moszumanska.debian.org
Sat Oct 29 20:54:09 UTC 2016
This is an automated email from the git hooks/post-receive script.
lfaraone pushed a commit to branch debian/jessie
in repository python-django.
commit d6b0e58c4333f1c3277283d1e3cdf4e129d8fbbb
Author: Mark Striemer <mstriemer at mozilla.com>
Date: Thu Jul 21 04:33:10 2016 +0200
CVE-2016-2512: Prevented spoofing is_safe_url() with basic auth
Origin: upstream, https://github.com/django/django/commit/382ab137312961ad62feb8109d70a5a581fe8350
Bug-Debian: https://bugs.debian.org/816434
Forwarded: not-needed
Reviewed-by: Salvatore Bonaccorso <carnil at debian.org>
Last-Update: 2016-03-12
Applied-Upstream: 1.8.10
---
django/utils/http.py | 8 ++++++--
tests/utils_tests/test_http.py | 12 ++++++++++++
2 files changed, 18 insertions(+), 2 deletions(-)
diff --git a/django/utils/http.py b/django/utils/http.py
index ef88f65..007edd4 100644
--- a/django/utils/http.py
+++ b/django/utils/http.py
@@ -274,8 +274,12 @@ def is_safe_url(url, host=None):
url = url.strip()
if not url:
return False
- # Chrome treats \ completely as /
- url = url.replace('\\', '/')
+ # Chrome treats \ completely as / in paths but it could be part of some
+ # basic auth credentials so we need to check both URLs.
+ return _is_safe_url(url, host) and _is_safe_url(url.replace('\\', '/'), host)
+
+
+def _is_safe_url(url, host):
# Chrome considers any URL with more than two slashes to be absolute, but
# urlparse is not so flexible. Treat any url with three slashes as unsafe.
if url.startswith('///'):
diff --git a/tests/utils_tests/test_http.py b/tests/utils_tests/test_http.py
index 3b367a4..c8fe0b3 100644
--- a/tests/utils_tests/test_http.py
+++ b/tests/utils_tests/test_http.py
@@ -110,6 +110,11 @@ class TestUtilsHttp(unittest.TestCase):
'javascript:alert("XSS")',
'\njavascript:alert(x)',
'\x08//example.com',
+ r'http://otherserver\@example.com',
+ r'http:\\testserver\@example.com',
+ r'http://testserver\me:pass@example.com',
+ r'http://testserver\@example.com',
+ r'http:\\testserver\confirm\me at example.com',
'\n'):
self.assertFalse(http.is_safe_url(bad_url, host='testserver'), "%s should be blocked" % bad_url)
for good_url in ('/view/?param=http://example.com',
@@ -119,8 +124,15 @@ class TestUtilsHttp(unittest.TestCase):
'https://testserver/',
'HTTPS://testserver/',
'//testserver/',
+ 'http://testserver/confirm?email=me@example.com',
'/url%20with%20spaces/'):
self.assertTrue(http.is_safe_url(good_url, host='testserver'), "%s should be allowed" % good_url)
+ # Valid basic auth credentials are allowed.
+ self.assertTrue(http.is_safe_url(r'http://user:pass@testserver/', host='user:pass at testserver'))
+ # A path without host is allowed.
+ self.assertTrue(http.is_safe_url('/confirm/me at example.com'))
+ # Basic auth without host is not allowed.
+ self.assertFalse(http.is_safe_url(r'http://testserver\@example.com'))
def test_urlsafe_base64_roundtrip(self):
bytestring = b'foo'
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/python-modules/packages/python-django.git
More information about the Python-modules-commits
mailing list