Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fixed is_safe_url() to reject URLs that use a scheme other than HTTP/S.
This is a security fix; disclosure to follow shortly.
  • Loading branch information
jacobian committed Aug 13, 2013
1 parent b50be68 commit ec67af0
Show file tree
Hide file tree
Showing 2 changed files with 10 additions and 5 deletions.
8 changes: 6 additions & 2 deletions django/contrib/auth/tests/views.py
Expand Up @@ -309,7 +309,8 @@ def test_security_check(self, password='password'):
for bad_url in ('http://example.com',
'https://example.com',
'ftp://exampel.com',
'//example.com'):
'//example.com',
'javascript:alert("XSS")'):

nasty_url = '%(url)s?%(next)s=%(bad_url)s' % {
'url': login_url,
Expand All @@ -330,6 +331,7 @@ def test_security_check(self, password='password'):
'/view?param=ftp://exampel.com',
'view/?param=//example.com',
'https:///',
'HTTPS:///',
'//testserver/',
'/url%20with%20spaces/'): # see ticket #12534
safe_url = '%(url)s?%(next)s=%(good_url)s' % {
Expand Down Expand Up @@ -467,7 +469,8 @@ def test_security_check(self, password='password'):
for bad_url in ('http://example.com',
'https://example.com',
'ftp://exampel.com',
'//example.com'):
'//example.com',
'javascript:alert("XSS")'):
nasty_url = '%(url)s?%(next)s=%(bad_url)s' % {
'url': logout_url,
'next': REDIRECT_FIELD_NAME,
Expand All @@ -486,6 +489,7 @@ def test_security_check(self, password='password'):
'/view?param=ftp://exampel.com',
'view/?param=//example.com',
'https:///',
'HTTPS:///',
'//testserver/',
'/url%20with%20spaces/'): # see ticket #12534
safe_url = '%(url)s?%(next)s=%(good_url)s' % {
Expand Down
7 changes: 4 additions & 3 deletions django/utils/http.py
Expand Up @@ -228,11 +228,12 @@ def same_origin(url1, url2):
def is_safe_url(url, host=None):
"""
Return ``True`` if the url is a safe redirection (i.e. it doesn't point to
a different host).
a different host and uses a safe scheme).
Always returns ``False`` on an empty url.
"""
if not url:
return False
netloc = urlparse.urlparse(url)[1]
return not netloc or netloc == host
url_info = urlparse.urlparse(url)
return (not url_info[1] or url_info[1] == host) and \
(not url_info[0] or url_info[0] in ['http', 'https'])

0 comments on commit ec67af0

Please sign in to comment.