Fixed CVE-2016-2512 -- Prevented spoofing is_safe_url() with basic auth.

This is a security fix.
2016-02-22 16:47:01 -05:00 · 2016-02-22 16:47:01 -05:00 · c5544d2892
parent f43291639b
commit c5544d2892
4 changed files with 50 additions and 2 deletions
--- a/django/utils/http.py
+++ b/django/utils/http.py
@ -290,8 +290,12 @@ def is_safe_url(url, host=None):
        url = url.strip()
    if not url:
        return False
-    # Chrome treats \ completely as /
-    url = url.replace('\\', '/')
+    # Chrome treats \ completely as / in paths but it could be part of some
+    # basic auth credentials so we need to check both URLs.
+    return _is_safe_url(url, host) and _is_safe_url(url.replace('\\', '/'), host)
+
+
+def _is_safe_url(url, host):
    # Chrome considers any URL with more than two slashes to be absolute, but
    # urlparse is not so flexible. Treat any url with three slashes as unsafe.
    if url.startswith('///'):
--- a/docs/releases/1.8.10.txt
+++ b/docs/releases/1.8.10.txt
@ -6,6 +6,22 @@ Django 1.8.10 release notes

 Django 1.8.10 fixes two security issues and several bugs in 1.8.9.

+CVE-2016-2512: Malicious redirect and possible XSS attack via user-supplied redirect URLs containing basic auth
+===============================================================================================================
+
+Django relies on user input in some cases (e.g.
+:func:`django.contrib.auth.views.login` and :doc:`i18n </topics/i18n/index>`)
+to redirect the user to an "on success" URL. The security check for these
+redirects (namely ``django.utils.http.is_safe_url()``) considered some URLs
+with basic authentication credentials "safe" when they shouldn't be.
+
+For example, a URL like ``http://mysite.example.com\@attacker.com`` would be
+considered safe if the request's host is ``http://mysite.example.com``, but
+redirecting to this URL sends the user to ``attacker.com``.
+
+Also, if a developer relies on ``is_safe_url()`` to provide safe redirect
+targets and puts such a URL into a link, they could suffer from an XSS attack.
+
 Bugfixes
 ========

--- a/docs/releases/1.9.3.txt
+++ b/docs/releases/1.9.3.txt
@ -6,6 +6,22 @@ Django 1.9.3 release notes

 Django 1.9.3 fixes two security issues and several bugs in 1.9.2.

+CVE-2016-2512: Malicious redirect and possible XSS attack via user-supplied redirect URLs containing basic auth
+===============================================================================================================
+
+Django relies on user input in some cases (e.g.
+:func:`django.contrib.auth.views.login` and :doc:`i18n </topics/i18n/index>`)
+to redirect the user to an "on success" URL. The security check for these
+redirects (namely ``django.utils.http.is_safe_url()``) considered some URLs
+with basic authentication credentials "safe" when they shouldn't be.
+
+For example, a URL like ``http://mysite.example.com\@attacker.com`` would be
+considered safe if the request's host is ``http://mysite.example.com``, but
+redirecting to this URL sends the user to ``attacker.com``.
+
+Also, if a developer relies on ``is_safe_url()`` to provide safe redirect
+targets and puts such a URL into a link, they could suffer from an XSS attack.
+
 Bugfixes
 ========

--- a/tests/utils_tests/test_http.py
+++ b/tests/utils_tests/test_http.py
@ -97,6 +97,11 @@ class TestUtilsHttp(unittest.TestCase):
                        'javascript:alert("XSS")',
                        '\njavascript:alert(x)',
                        '\x08//example.com',
+                        r'http://otherserver\@example.com',
+                        r'http:\\testserver\@example.com',
+                        r'http://testserver\me:pass@example.com',
+                        r'http://testserver\@example.com',
+                        r'http:\\testserver\confirm\me@example.com',
                        '\n'):
            self.assertFalse(http.is_safe_url(bad_url, host='testserver'), "%s should be blocked" % bad_url)
        for good_url in ('/view/?param=http://example.com',
@ -106,8 +111,15 @@ class TestUtilsHttp(unittest.TestCase):
                     'https://testserver/',
                     'HTTPS://testserver/',
                     '//testserver/',
+                     'http://testserver/confirm?email=me@example.com',
                     '/url%20with%20spaces/'):
            self.assertTrue(http.is_safe_url(good_url, host='testserver'), "%s should be allowed" % good_url)
+        # Valid basic auth credentials are allowed.
+        self.assertTrue(http.is_safe_url(r'http://user:pass@testserver/', host='user:pass@testserver'))
+        # A path without host is allowed.
+        self.assertTrue(http.is_safe_url('/confirm/me@example.com'))
+        # Basic auth without host is not allowed.
+        self.assertFalse(http.is_safe_url(r'http://testserver\@example.com'))

    def test_urlsafe_base64_roundtrip(self):
        bytestring = b'foo'