Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixed #26308 -- Prevented crash with binary URLs in is_safe_url() #6242

Merged
merged 1 commit into from Mar 4, 2016
Merged

Fixed #26308 -- Prevented crash with binary URLs in is_safe_url() #6242

merged 1 commit into from Mar 4, 2016

Conversation

claudep
Copy link
Member

@claudep claudep commented Mar 4, 2016

This fixes a regression introduced by c5544d2.

@nedbat nedbat mentioned this pull request Mar 4, 2016
Merged
timgraham
timgraham reviewed Mar 4, 2016
View reviewed changes
docs/releases/1.9.4.txt
@@ -4,9 +4,10 @@ Django 1.9.4 release notes

*Under development*

Django 1.9.4 fixes several bugs in 1.9.3.
Django 1.9.4 fixes a regression in the 1.9.3 security release.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you feel this should be released asap, then let's just say "a regression on Python 2 in the 1.9.3 security release where utils.http.is_safe_url() crashes on bytestring URLs (:ticket:...)" and remove the "Bugfixes" section.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I find the issue rather critical for any Python 2 deployment, don't you?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes

timgraham
timgraham reviewed Mar 4, 2016
View reviewed changes
django/utils/http.py
@@ -290,6 +290,7 @@ def is_safe_url(url, host=None):
url = url.strip()
if not url:
return False
url = force_text(url, errors='replace')
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you still want to remove this when dropping Python 2? If there isn't something like six.PY2 will we remember? I guess force_text() still has some value in resolving lazy objects but that's not why it's used here. Just wondering...

nedbat
nedbat reviewed Mar 4, 2016
View reviewed changes
django/utils/http.py
@@ -290,6 +290,8 @@ def is_safe_url(url, host=None):
url = url.strip()
if not url:
return False
if six.PY2:
url = force_text(url, errors='replace')
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm wondering about errors='replace' here. The function below considers control characters. Is it possible that some of the bad characters we're trying to detect here will be turned into replacement characters, and then overlooked by _is_safe_url below? The Unicode replacement character is U+FFFD, which is category "So".

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The control character issue is that <a href="\x08//example.com"> will redirect to example.com but is_safe_url() would consider it safe before 011a543.
In Firefox and Chrome, <a href="\ufffd//example.com"> will be treated as path relative and redirect to something like http://localhost:8000/page-where-link-appears/%EF%BF%BD//example.com, so I don't see a problem.

@claudep
Fixed #26308 -- Prevented crash with binary URLs in is_safe_url()
ada7a4a 
This fixes a regression introduced by c5544d2.
Thanks John Eskew for the reporti and Tim Graham for the review.
@claudep claudep merged commit ada7a4a into django:master Mar 4, 2016
@claudep claudep deleted the 26308 branch March 4, 2016 20:17
@timgraham
Copy link
Member

For anyone patching other distributions of Django, this fix was amended with 552f038.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
3 participants
@claudep @timgraham @nedbat