Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

[1.3.x] Fixed a security issue in http redirects. Disclosure and new …

…release forthcoming.

Backport of 4129201 from master.
  • Loading branch information...
commit 4dea4883e6c50d75f215a6b9bcbd95273f57c72d 1 parent b2eb478
Florian Apolloner authored July 30, 2012
21  django/http/__init__.py
@@ -4,7 +4,7 @@
4 4
 import time
5 5
 from pprint import pformat
6 6
 from urllib import urlencode, quote
7  
-from urlparse import urljoin
  7
+from urlparse import urljoin, urlparse
8 8
 try:
9 9
     from cStringIO import StringIO
10 10
 except ImportError:
@@ -117,6 +117,7 @@ def __init__(self, *args, **kwargs):
117 117
         warnings.warn("CompatCookie is deprecated, use django.http.SimpleCookie instead.",
118 118
                       PendingDeprecationWarning)
119 119
 
  120
+from django.core.exceptions import SuspiciousOperation
120 121
 from django.utils.datastructures import MultiValueDict, ImmutableList
121 122
 from django.utils.encoding import smart_str, iri_to_uri, force_unicode
122 123
 from django.utils.http import cookie_date
@@ -635,19 +636,21 @@ def tell(self):
635 636
             raise Exception("This %s instance cannot tell its position" % self.__class__)
636 637
         return sum([len(chunk) for chunk in self._container])
637 638
 
638  
-class HttpResponseRedirect(HttpResponse):
639  
-    status_code = 302
  639
+class HttpResponseRedirectBase(HttpResponse):
  640
+    allowed_schemes = ['http', 'https', 'ftp']
640 641
 
641 642
     def __init__(self, redirect_to):
642  
-        super(HttpResponseRedirect, self).__init__()
  643
+        super(HttpResponseRedirectBase, self).__init__()
  644
+        parsed = urlparse(redirect_to)
  645
+        if parsed.scheme and parsed.scheme not in self.allowed_schemes:
  646
+            raise SuspiciousOperation("Unsafe redirect to URL with scheme '%s'" % parsed.scheme)
643 647
         self['Location'] = iri_to_uri(redirect_to)
644 648
 
645  
-class HttpResponsePermanentRedirect(HttpResponse):
646  
-    status_code = 301
  649
+class HttpResponseRedirect(HttpResponseRedirectBase):
  650
+    status_code = 302
647 651
 
648  
-    def __init__(self, redirect_to):
649  
-        super(HttpResponsePermanentRedirect, self).__init__()
650  
-        self['Location'] = iri_to_uri(redirect_to)
  652
+class HttpResponsePermanentRedirect(HttpResponseRedirectBase):
  653
+    status_code = 301
651 654
 
652 655
 class HttpResponseNotModified(HttpResponse):
653 656
     status_code = 304
19  tests/regressiontests/httpwrappers/tests.py
... ...
@@ -1,8 +1,11 @@
1 1
 import copy
2 2
 import pickle
3 3
 
4  
-from django.http import (QueryDict, HttpResponse, SimpleCookie, BadHeaderError,
5  
-        parse_cookie)
  4
+from django.core.exceptions import SuspiciousOperation
  5
+from django.http import (QueryDict, HttpResponse, HttpResponseRedirect,
  6
+                         HttpResponsePermanentRedirect,
  7
+                         SimpleCookie, BadHeaderError,
  8
+                         parse_cookie)
6 9
 from django.utils import unittest
7 10
 
8 11
 class QueryDictTests(unittest.TestCase):
@@ -243,6 +246,18 @@ def test_newlines_in_headers(self):
243 246
         self.assertRaises(BadHeaderError, r.__setitem__, 'test\rstr', 'test')
244 247
         self.assertRaises(BadHeaderError, r.__setitem__, 'test\nstr', 'test')
245 248
 
  249
+    def test_unsafe_redirects(self):
  250
+        bad_urls = [
  251
+            'data:text/html,<script>window.alert("xss")</script>',
  252
+            'mailto:test@example.com',
  253
+            'file:///etc/passwd',
  254
+        ]
  255
+        for url in bad_urls:
  256
+            self.assertRaises(SuspiciousOperation,
  257
+                              HttpResponseRedirect, url)
  258
+            self.assertRaises(SuspiciousOperation,
  259
+                              HttpResponsePermanentRedirect, url)
  260
+
246 261
 class CookieTests(unittest.TestCase):
247 262
     def test_encode(self):
248 263
         """

0 notes on commit 4dea488

Please sign in to comment.
Something went wrong with that request. Please try again.