Skip to content
Permalink
Browse files

[1.5.x] Prevented reverse() from generating URLs pointing to other ho…

…sts.

This is a security fix. Disclosure following shortly.
  • Loading branch information...
apollo13 authored and timgraham committed Jul 17, 2014
1 parent 25d9ae5 commit 45ac9d4fb087d21902469fc22643f5201d41a0cd
@@ -426,6 +426,8 @@ def _reverse_with_prefix(self, lookup_view, _prefix, *args, **kwargs):
unicode_kwargs = dict([(k, force_text(v)) for (k, v) in kwargs.items()])
candidate = (prefix_norm.replace('%', '%%') + result) % unicode_kwargs
if re.search('^%s%s' % (prefix_norm, pattern), candidate, re.UNICODE):
if candidate.startswith('//'):
candidate = '/%%2F%s' % candidate[2:]
return candidate
# lookup_view can be URL label, or dotted path, or callable, Any of
# these can be passed in at the top, but callables are not friendly in
@@ -5,3 +5,16 @@ Django 1.4.14 release notes
*Under development*

Django 1.4.14 fixes several security issues in 1.4.13.

:func:`~django.core.urlresolvers.reverse()` could generate URLs pointing to other hosts
=======================================================================================

In certain situations, URL reversing could generate scheme-relative URLs (URLs
starting with two slashes), which could unexpectedly redirect a user to a
different host. An attacker could exploit this, for example, by redirecting
users to a phishing site designed to ask for user's passwords.

To remedy this, URL reversing now ensures that no URL starts with two slashes
(//), replacing the second slash with its URL encoded counterpart (%2F). This
approach ensures that semantics stay the same, while making the URL relative to
the domain and not to the scheme.
@@ -5,3 +5,16 @@ Django 1.5.9 release notes
*Under development*

Django 1.5.9 fixes several security issues in 1.5.8.

:func:`~django.core.urlresolvers.reverse()` could generate URLs pointing to other hosts
=======================================================================================

In certain situations, URL reversing could generate scheme-relative URLs (URLs
starting with two slashes), which could unexpectedly redirect a user to a
different host. An attacker could exploit this, for example, by redirecting
users to a phishing site designed to ask for user's passwords.

To remedy this, URL reversing now ensures that no URL starts with two slashes
(//), replacing the second slash with its URL encoded counterpart (%2F). This
approach ensures that semantics stay the same, while making the URL relative to
the domain and not to the scheme.
@@ -143,6 +143,9 @@
('defaults', '/defaults_view2/3/', [], {'arg1': 3, 'arg2': 2}),
('defaults', NoReverseMatch, [], {'arg1': 3, 'arg2': 3}),
('defaults', NoReverseMatch, [], {'arg2': 1}),

# Security tests
('security', '/%2Fexample.com/security/', ['/example.com'], {}),
)

class NoURLPatternsTests(TestCase):
@@ -71,4 +71,7 @@
(r'defaults_view2/(?P<arg1>\d+)/', 'defaults_view', {'arg2': 2}, 'defaults'),

url('^includes/', include(other_patterns)),

# Security tests
url('(.+)/security/$', empty_view, name='security'),
)

0 comments on commit 45ac9d4

Please sign in to comment.
You can’t perform that action at this time.