Skip to content

Commit c5544d2

Browse files
mstriemertimgraham
authored andcommitted
Fixed CVE-2016-2512 -- Prevented spoofing is_safe_url() with basic auth.
This is a security fix.
1 parent f432916 commit c5544d2

File tree

4 files changed

+50
-2
lines changed

4 files changed

+50
-2
lines changed

Diff for: django/utils/http.py

+6-2
Original file line numberDiff line numberDiff line change
@@ -290,8 +290,12 @@ def is_safe_url(url, host=None):
290290
url = url.strip()
291291
if not url:
292292
return False
293-
# Chrome treats \ completely as /
294-
url = url.replace('\\', '/')
293+
# Chrome treats \ completely as / in paths but it could be part of some
294+
# basic auth credentials so we need to check both URLs.
295+
return _is_safe_url(url, host) and _is_safe_url(url.replace('\\', '/'), host)
296+
297+
298+
def _is_safe_url(url, host):
295299
# Chrome considers any URL with more than two slashes to be absolute, but
296300
# urlparse is not so flexible. Treat any url with three slashes as unsafe.
297301
if url.startswith('///'):

Diff for: docs/releases/1.8.10.txt

+16
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,22 @@ Django 1.8.10 release notes
66

77
Django 1.8.10 fixes two security issues and several bugs in 1.8.9.
88

9+
CVE-2016-2512: Malicious redirect and possible XSS attack via user-supplied redirect URLs containing basic auth
10+
===============================================================================================================
11+
12+
Django relies on user input in some cases (e.g.
13+
:func:`django.contrib.auth.views.login` and :doc:`i18n </topics/i18n/index>`)
14+
to redirect the user to an "on success" URL. The security check for these
15+
redirects (namely ``django.utils.http.is_safe_url()``) considered some URLs
16+
with basic authentication credentials "safe" when they shouldn't be.
17+
18+
For example, a URL like ``http://mysite.example.com\@attacker.com`` would be
19+
considered safe if the request's host is ``http://mysite.example.com``, but
20+
redirecting to this URL sends the user to ``attacker.com``.
21+
22+
Also, if a developer relies on ``is_safe_url()`` to provide safe redirect
23+
targets and puts such a URL into a link, they could suffer from an XSS attack.
24+
925
Bugfixes
1026
========
1127

Diff for: docs/releases/1.9.3.txt

+16
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,22 @@ Django 1.9.3 release notes
66

77
Django 1.9.3 fixes two security issues and several bugs in 1.9.2.
88

9+
CVE-2016-2512: Malicious redirect and possible XSS attack via user-supplied redirect URLs containing basic auth
10+
===============================================================================================================
11+
12+
Django relies on user input in some cases (e.g.
13+
:func:`django.contrib.auth.views.login` and :doc:`i18n </topics/i18n/index>`)
14+
to redirect the user to an "on success" URL. The security check for these
15+
redirects (namely ``django.utils.http.is_safe_url()``) considered some URLs
16+
with basic authentication credentials "safe" when they shouldn't be.
17+
18+
For example, a URL like ``http://mysite.example.com\@attacker.com`` would be
19+
considered safe if the request's host is ``http://mysite.example.com``, but
20+
redirecting to this URL sends the user to ``attacker.com``.
21+
22+
Also, if a developer relies on ``is_safe_url()`` to provide safe redirect
23+
targets and puts such a URL into a link, they could suffer from an XSS attack.
24+
925
Bugfixes
1026
========
1127

Diff for: tests/utils_tests/test_http.py

+12
Original file line numberDiff line numberDiff line change
@@ -97,6 +97,11 @@ def test_is_safe_url(self):
9797
'javascript:alert("XSS")',
9898
'\njavascript:alert(x)',
9999
'\x08//example.com',
100+
r'http://otherserver\@example.com',
101+
r'http:\\testserver\@example.com',
102+
r'http://testserver\me:pass@example.com',
103+
r'http://testserver\@example.com',
104+
r'http:\\testserver\confirm\me@example.com',
100105
'\n'):
101106
self.assertFalse(http.is_safe_url(bad_url, host='testserver'), "%s should be blocked" % bad_url)
102107
for good_url in ('/view/?param=http://example.com',
@@ -106,8 +111,15 @@ def test_is_safe_url(self):
106111
'https://testserver/',
107112
'HTTPS://testserver/',
108113
'//testserver/',
114+
'http://testserver/confirm?email=me@example.com',
109115
'/url%20with%20spaces/'):
110116
self.assertTrue(http.is_safe_url(good_url, host='testserver'), "%s should be allowed" % good_url)
117+
# Valid basic auth credentials are allowed.
118+
self.assertTrue(http.is_safe_url(r'http://user:pass@testserver/', host='user:pass@testserver'))
119+
# A path without host is allowed.
120+
self.assertTrue(http.is_safe_url('/confirm/me@example.com'))
121+
# Basic auth without host is not allowed.
122+
self.assertFalse(http.is_safe_url(r'http://testserver\@example.com'))
111123

112124
def test_urlsafe_base64_roundtrip(self):
113125
bytestring = b'foo'

0 commit comments

Comments
 (0)