From e34685034b60be1112160e76091e5aee60149fa1 Mon Sep 17 00:00:00 2001 From: Florian Apolloner Date: Mon, 30 Jul 2012 22:03:09 +0200 Subject: [PATCH] [1.4.x] Fixed a security issue in http redirects. Disclosure and new release forthcoming. Backport of 4129201c3e0fa057c198bdefcb34686a23b4a93c from master. --- django/http/__init__.py | 22 +++++++++++---------- tests/regressiontests/httpwrappers/tests.py | 19 ++++++++++++++++-- 2 files changed, 29 insertions(+), 12 deletions(-) diff --git a/django/http/__init__.py b/django/http/__init__.py index 94478ae5aeb51..8af7228b4b308 100644 --- a/django/http/__init__.py +++ b/django/http/__init__.py @@ -9,7 +9,7 @@ from pprint import pformat from urllib import urlencode, quote -from urlparse import urljoin +from urlparse import urljoin, urlparse try: from cStringIO import StringIO except ImportError: @@ -114,7 +114,7 @@ def __init__(self, *args, **kwargs): from django.conf import settings from django.core import signing -from django.core.exceptions import ImproperlyConfigured +from django.core.exceptions import ImproperlyConfigured, SuspiciousOperation from django.core.files import uploadhandler from django.http.multipartparser import MultiPartParser from django.http.utils import * @@ -731,19 +731,21 @@ def tell(self): raise Exception("This %s instance cannot tell its position" % self.__class__) return sum([len(str(chunk)) for chunk in self._container]) -class HttpResponseRedirect(HttpResponse): - status_code = 302 +class HttpResponseRedirectBase(HttpResponse): + allowed_schemes = ['http', 'https', 'ftp'] def __init__(self, redirect_to): - super(HttpResponseRedirect, self).__init__() + super(HttpResponseRedirectBase, self).__init__() + parsed = urlparse(redirect_to) + if parsed.scheme and parsed.scheme not in self.allowed_schemes: + raise SuspiciousOperation("Unsafe redirect to URL with scheme '%s'" % parsed.scheme) self['Location'] = iri_to_uri(redirect_to) -class HttpResponsePermanentRedirect(HttpResponse): - status_code = 301 +class HttpResponseRedirect(HttpResponseRedirectBase): + status_code = 302 - def __init__(self, redirect_to): - super(HttpResponsePermanentRedirect, self).__init__() - self['Location'] = iri_to_uri(redirect_to) +class HttpResponsePermanentRedirect(HttpResponseRedirectBase): + status_code = 301 class HttpResponseNotModified(HttpResponse): status_code = 304 diff --git a/tests/regressiontests/httpwrappers/tests.py b/tests/regressiontests/httpwrappers/tests.py index 7513c46a8fa36..9a7c4ba1f577c 100644 --- a/tests/regressiontests/httpwrappers/tests.py +++ b/tests/regressiontests/httpwrappers/tests.py @@ -1,8 +1,11 @@ import copy import pickle -from django.http import (QueryDict, HttpResponse, SimpleCookie, BadHeaderError, - parse_cookie) +from django.core.exceptions import SuspiciousOperation +from django.http import (QueryDict, HttpResponse, HttpResponseRedirect, + HttpResponsePermanentRedirect, + SimpleCookie, BadHeaderError, + parse_cookie) from django.utils import unittest @@ -296,6 +299,18 @@ def test_iter_content(self): self.assertRaises(UnicodeEncodeError, getattr, r, 'content') + def test_unsafe_redirect(self): + bad_urls = [ + 'data:text/html,', + 'mailto:test@example.com', + 'file:///etc/passwd', + ] + for url in bad_urls: + self.assertRaises(SuspiciousOperation, + HttpResponseRedirect, url) + self.assertRaises(SuspiciousOperation, + HttpResponsePermanentRedirect, url) + class CookieTests(unittest.TestCase): def test_encode(self): """