Skip to content
Permalink
Browse files

[1.11.x] Fixed CVE-2018-14574 -- Fixed open redirect possibility in C…

…ommonMiddleware.
  • Loading branch information...
andreashug authored and timgraham committed Jul 24, 2018
1 parent 4fd1f67 commit d6eaee092709aad477a9894598496c6deec532ff
@@ -11,6 +11,7 @@
)
from django.utils.deprecation import MiddlewareMixin, RemovedInDjango21Warning
from django.utils.encoding import force_text
from django.utils.http import escape_leading_slashes
from django.utils.six.moves.urllib.parse import urlparse


@@ -90,6 +91,8 @@ def get_full_path_with_slash(self, request):
POST, PUT, or PATCH.
"""
new_path = request.get_full_path(force_append_slash=True)
# Prevent construction of scheme relative urls.
new_path = escape_leading_slashes(new_path)
if settings.DEBUG and request.method in ('POST', 'PUT', 'PATCH'):
raise RuntimeError(
"You called this URL via %(method)s, but the URL doesn't end "
@@ -20,7 +20,9 @@
from django.utils.datastructures import MultiValueDict
from django.utils.encoding import force_str, force_text
from django.utils.functional import cached_property
from django.utils.http import RFC3986_SUBDELIMS, urlquote
from django.utils.http import (
RFC3986_SUBDELIMS, escape_leading_slashes, urlquote,
)
from django.utils.regex_helper import normalize
from django.utils.translation import get_language

@@ -465,9 +467,7 @@ def _reverse_with_prefix(self, lookup_view, _prefix, *args, **kwargs):
# safe characters from `pchar` definition of RFC 3986
url = urlquote(candidate_pat % candidate_subs, safe=RFC3986_SUBDELIMS + str('/~:@'))
# Don't allow construction of scheme relative urls.
if url.startswith('//'):
url = '/%%2F%s' % url[2:]
return url
return escape_leading_slashes(url)
# lookup_view can be URL name or callable, but callables are not
# friendly in error messages.
m = getattr(lookup_view, '__module__', None)
@@ -466,3 +466,14 @@ def limited_parse_qsl(qs, keep_blank_values=False, encoding='utf-8',
value = unquote(nv[1].replace(b'+', b' '))
r.append((name, value))
return r


def escape_leading_slashes(url):
"""
If redirecting to an absolute path (two leading slashes), a slash must be
escaped to prevent browsers from handling the path as schemaless and
redirecting to another host.
"""
if url.startswith('//'):
url = '/%2F{}'.format(url[2:])
return url
@@ -5,3 +5,16 @@ Django 1.11.15 release notes
*August 1, 2018*

Django 1.11.15 fixes a security issue in 1.11.14.

CVE-2018-14574: Open redirect possibility in ``CommonMiddleware``
=================================================================

If the :class:`~django.middleware.common.CommonMiddleware` and the
:setting:`APPEND_SLASH` setting are both enabled, and if the project has a
URL pattern that accepts any path ending in a slash (many content management
systems have such a pattern), then a request to a maliciously crafted URL of
that site could lead to a redirect to another site, enabling phishing and other
attacks.

``CommonMiddleware`` now escapes leading slashes to prevent redirects to other
domains.
@@ -137,6 +137,25 @@ def test_append_slash_quoted(self):
self.assertEqual(r.status_code, 301)
self.assertEqual(r.url, '/needsquoting%23/')

@override_settings(APPEND_SLASH=True)
def test_append_slash_leading_slashes(self):
"""
Paths starting with two slashes are escaped to prevent open redirects.
If there's a URL pattern that allows paths to start with two slashes, a
request with path //evil.com must not redirect to //evil.com/ (appended
slash) which is a schemaless absolute URL. The browser would navigate
to evil.com/.
"""
# Use 4 slashes because of RequestFactory behavior.
request = self.rf.get('////evil.com/security')
response = HttpResponseNotFound()
r = CommonMiddleware().process_request(request)
self.assertEqual(r.status_code, 301)
self.assertEqual(r.url, '/%2Fevil.com/security/')
r = CommonMiddleware().process_response(request, response)
self.assertEqual(r.status_code, 301)
self.assertEqual(r.url, '/%2Fevil.com/security/')

@override_settings(APPEND_SLASH=False, PREPEND_WWW=True)
def test_prepend_www(self):
request = self.rf.get('/path/')
@@ -6,4 +6,6 @@
url(r'^noslash$', views.empty_view),
url(r'^slash/$', views.empty_view),
url(r'^needsquoting#/$', views.empty_view),
# Accepts paths with two leading slashes.
url(r'^(.+)/security/$', views.empty_view),
]
@@ -248,3 +248,13 @@ def test_parsing_rfc850(self):
def test_parsing_asctime(self):
parsed = http.parse_http_date('Sun Nov 6 08:49:37 1994')
self.assertEqual(datetime.utcfromtimestamp(parsed), datetime(1994, 11, 6, 8, 49, 37))


class EscapeLeadingSlashesTests(unittest.TestCase):
def test(self):
tests = (
('//example.com', '/%2Fexample.com'),
('//', '/%2F'),
)
for url, expected in tests:
self.assertEqual(http.escape_leading_slashes(url), expected)

0 comments on commit d6eaee0

Please sign in to comment.
You can’t perform that action at this time.