Permalink
Browse files

Fix SSRF: do not use urljoin, quote uuids

  • Loading branch information...
bhelx committed Nov 9, 2017
1 parent 9db2d1a commit 049c74699ce93cf126feff06d632ea63fba36742
Showing with 6 additions and 6 deletions.
  1. +6 −6 recurly/resource.py
View
@@ -12,8 +12,7 @@
import recurly.errors
from recurly.link_header import parse_link_value
from six.moves import http_client
from six.moves.urllib.parse import urlencode, urljoin, urlsplit
from six.moves.urllib.parse import urlencode, urlsplit, quote
class Money(object):
@@ -338,7 +337,8 @@ def get(cls, uuid):
can be directly requested with this method.
"""
url = urljoin(recurly.base_uri(), cls.member_path % (uuid,))
uuid = quote(str(uuid))
url = recurly.base_uri() + (cls.member_path % (uuid,))
resp, elem = cls.element_for_url(url)
return cls.from_element(elem)
@@ -606,7 +606,7 @@ def all(cls, **kwargs):
parameters.
"""
url = urljoin(recurly.base_uri(), cls.collection_path)
url = recurly.base_uri() + cls.collection_path
if kwargs:
url = '%s?%s' % (url, urlencode(kwargs))
return Page.page_for_url(url)
@@ -616,7 +616,7 @@ def count(cls, **kwargs):
"""Return a count of server side resources given
filtering arguments in kwargs.
"""
url = urljoin(recurly.base_uri(), cls.collection_path)
url = recurly.base_uri() + cls.collection_path
if kwargs:
url = '%s?%s' % (url, urlencode(kwargs))
return Page.count_for_url(url)
@@ -638,7 +638,7 @@ def _update(self):
return self.put(self._url)
def _create(self):
url = urljoin(recurly.base_uri(), self.collection_path)
url = recurly.base_uri() + self.collection_path
return self.post(url)
def put(self, url):

0 comments on commit 049c746

Please sign in to comment.