Skip to content
Permalink
Browse files Browse the repository at this point in the history
Merge pull request from GHSA-q3m9-9fj2-mfwr
Treat urls like https:example.org without slashes as outside the portal.
  • Loading branch information
mauritsvanrees committed Jul 31, 2021
2 parents a52a08c + 7cbf4a4 commit d4fd349
Show file tree
Hide file tree
Showing 3 changed files with 24 additions and 0 deletions.
6 changes: 6 additions & 0 deletions Products/isurlinportal/__init__.py
Expand Up @@ -131,6 +131,12 @@ def isURLInPortal(self, url, context=None):
# and redirecting to 'mailto:' or 'ftp:' is silly.
return False

if schema and not u_host:
# Example: https:example.org
# When we redirect to this, some browsers fail, others happily go to example.org.
# In any case, this is not in the portal.
return False

# Someone may be doing tricks with escaped html code.
unescaped_url = unescape(url)
if unescaped_url != url:
Expand Down
12 changes: 12 additions & 0 deletions Products/isurlinportal/tests.py
Expand Up @@ -167,6 +167,11 @@ def test_data_not_in_portal(self):
iURLiP("data:text/html%3bbase64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K")
)

def test_ftp_not_in_portal(self):
url_tool = self._makeOne()
iURLiP = url_tool.isURLInPortal
self.assertFalse(iURLiP("ftp://ftp.example.org"))

def test_double_slash(self):
# I wondered if this might be a problem after reading
# https://bugs.python.org/issue23505
Expand Down Expand Up @@ -204,3 +209,10 @@ def test_whitespace(self):
self.assertFalse(iURLiP("foo\t"))
self.assertFalse(iURLiP(" foo"))
self.assertFalse(iURLiP("foo "))

def test_without_slashes(self):
# This does not work in all browsers.
url_tool = self._makeOne()
iURLiP = url_tool.isURLInPortal
self.assertFalse(iURLiP("http:example.org"))
self.assertFalse(iURLiP("https:example.org"))
6 changes: 6 additions & 0 deletions news/1.feature
@@ -0,0 +1,6 @@
Treat urls like ``https:example.org`` without slashes as outside the portal.
Some browsers would redirect to example.org, some would redirect to a non-existing local page.
We never want this, because this is likely a hack attempt.
This vulnerability was discovered and reported by Yuji Tounai of Mitsui Bussan Secure Directions, Inc.
See `security advisory 1 <https://github.com/plone/Products.isurlinportal/security/advisories/GHSA-q3m9-9fj2-mfwr>`_.
[maurits]

0 comments on commit d4fd349

Please sign in to comment.