Skip to content

Commit b45c377

Browse files
committed
Fixed a security issue related to password resets
Full disclosure and new release are forthcoming backport from master
1 parent c718b4a commit b45c377

File tree

4 files changed

+46
-1
lines changed

4 files changed

+46
-1
lines changed

Diff for: django/contrib/auth/tests/urls.py

+1
Original file line numberDiff line numberDiff line change
@@ -19,6 +19,7 @@ def remote_user_auth_view(request):
1919
(r'^logout/next_page/$', 'django.contrib.auth.views.logout', dict(next_page='/somewhere/')),
2020
(r'^remote_user/$', remote_user_auth_view),
2121
(r'^password_reset_from_email/$', 'django.contrib.auth.views.password_reset', dict(from_email='staffmember@example.com')),
22+
(r'^admin_password_reset/$', 'django.contrib.auth.views.password_reset', dict(is_admin_site=True)),
2223
(r'^login_required/$', login_required(password_reset)),
2324
(r'^login_required_login_url/$', login_required(password_reset, login_url='/somewhere/')),
2425
)

Diff for: django/contrib/auth/tests/views.py

+39
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,7 @@
99
from django.contrib.auth.models import User
1010
from django.test import TestCase
1111
from django.core import mail
12+
from django.core.exceptions import SuspiciousOperation
1213
from django.core.urlresolvers import reverse
1314
from django.http import QueryDict
1415

@@ -69,6 +70,44 @@ def test_email_found_custom_from(self):
6970
self.assertEqual(len(mail.outbox), 1)
7071
self.assertEqual("staffmember@example.com", mail.outbox[0].from_email)
7172

73+
def test_admin_reset(self):
74+
"If the reset view is marked as being for admin, the HTTP_HOST header is used for a domain override."
75+
response = self.client.post('/admin_password_reset/',
76+
{'email': 'staffmember@example.com'},
77+
HTTP_HOST='adminsite.com'
78+
)
79+
self.assertEqual(response.status_code, 302)
80+
self.assertEqual(len(mail.outbox), 1)
81+
self.assertTrue("http://adminsite.com" in mail.outbox[0].body)
82+
self.assertEqual(settings.DEFAULT_FROM_EMAIL, mail.outbox[0].from_email)
83+
84+
def test_poisoned_http_host(self):
85+
"Poisoned HTTP_HOST headers can't be used for reset emails"
86+
# This attack is based on the way browsers handle URLs. The colon
87+
# should be used to separate the port, but if the URL contains an @,
88+
# the colon is interpreted as part of a username for login purposes,
89+
# making 'evil.com' the request domain. Since HTTP_HOST is used to
90+
# produce a meaningful reset URL, we need to be certain that the
91+
# HTTP_HOST header isn't poisoned. This is done as a check when get_host()
92+
# is invoked, but we check here as a practical consequence.
93+
def test_host_poisoning():
94+
self.client.post('/password_reset/',
95+
{'email': 'staffmember@example.com'},
96+
HTTP_HOST='www.example:dr.frankenstein@evil.tld'
97+
)
98+
self.assertRaises(SuspiciousOperation, test_host_poisoning)
99+
self.assertEqual(len(mail.outbox), 0)
100+
101+
def test_poisoned_http_host_admin_site(self):
102+
"Poisoned HTTP_HOST headers can't be used for reset emails on admin views"
103+
def test_host_poisoning():
104+
self.client.post('/admin_password_reset/',
105+
{'email': 'staffmember@example.com'},
106+
HTTP_HOST='www.example:dr.frankenstein@evil.tld'
107+
)
108+
self.assertRaises(SuspiciousOperation, test_host_poisoning)
109+
self.assertEqual(len(mail.outbox), 0)
110+
72111
def _test_confirm_start(self):
73112
# Start by creating the email
74113
response = self.client.post('/password_reset/', {'email': 'staffmember@example.com'})

Diff for: django/contrib/auth/views.py

+1-1
Original file line numberDiff line numberDiff line change
@@ -151,7 +151,7 @@ def password_reset(request, is_admin_site=False,
151151
'request': request,
152152
}
153153
if is_admin_site:
154-
opts = dict(opts, domain_override=request.META['HTTP_HOST'])
154+
opts = dict(opts, domain_override=request.get_host())
155155
form.save(**opts)
156156
return HttpResponseRedirect(post_reset_redirect)
157157
else:

Diff for: django/http/__init__.py

+5
Original file line numberDiff line numberDiff line change
@@ -165,6 +165,11 @@ def get_host(self):
165165
server_port = str(self.META['SERVER_PORT'])
166166
if server_port != (self.is_secure() and '443' or '80'):
167167
host = '%s:%s' % (host, server_port)
168+
169+
# Disallow potentially poisoned hostnames.
170+
if set(';/?@&=+$,').intersection(host):
171+
raise SuspiciousOperation('Invalid HTTP_HOST header: %s' % host)
172+
168173
return host
169174

170175
def get_full_path(self):

0 commit comments

Comments
 (0)