mirror of https://github.com/django/django.git
[1.7.x] Prevented reverse() from generating URLs pointing to other hosts.
This is a security fix. Disclosure following shortly.
This commit is contained in:
parent
1c00c38b4a
commit
bf650a2ee7
|
@ -442,7 +442,11 @@ class RegexURLResolver(LocaleRegexProvider):
|
|||
candidate_pat = prefix_norm.replace('%', '%%') + result
|
||||
if re.search('^%s%s' % (prefix_norm, pattern), candidate_pat % candidate_subs, re.UNICODE):
|
||||
candidate_subs = dict((k, urlquote(v)) for (k, v) in candidate_subs.items())
|
||||
return candidate_pat % candidate_subs
|
||||
url = candidate_pat % candidate_subs
|
||||
# Don't allow construction of scheme relative urls.
|
||||
if url.startswith('//'):
|
||||
url = '/%%2F%s' % url[2:]
|
||||
return url
|
||||
# lookup_view can be URL label, or dotted path, or callable, Any of
|
||||
# these can be passed in at the top, but callables are not friendly in
|
||||
# error messages.
|
||||
|
|
|
@ -5,3 +5,16 @@ Django 1.4.14 release notes
|
|||
*Under development*
|
||||
|
||||
Django 1.4.14 fixes several security issues in 1.4.13.
|
||||
|
||||
:func:`~django.core.urlresolvers.reverse()` could generate URLs pointing to other hosts
|
||||
=======================================================================================
|
||||
|
||||
In certain situations, URL reversing could generate scheme-relative URLs (URLs
|
||||
starting with two slashes), which could unexpectedly redirect a user to a
|
||||
different host. An attacker could exploit this, for example, by redirecting
|
||||
users to a phishing site designed to ask for user's passwords.
|
||||
|
||||
To remedy this, URL reversing now ensures that no URL starts with two slashes
|
||||
(//), replacing the second slash with its URL encoded counterpart (%2F). This
|
||||
approach ensures that semantics stay the same, while making the URL relative to
|
||||
the domain and not to the scheme.
|
||||
|
|
|
@ -5,3 +5,16 @@ Django 1.5.9 release notes
|
|||
*Under development*
|
||||
|
||||
Django 1.5.9 fixes several security issues in 1.5.8.
|
||||
|
||||
:func:`~django.core.urlresolvers.reverse()` could generate URLs pointing to other hosts
|
||||
=======================================================================================
|
||||
|
||||
In certain situations, URL reversing could generate scheme-relative URLs (URLs
|
||||
starting with two slashes), which could unexpectedly redirect a user to a
|
||||
different host. An attacker could exploit this, for example, by redirecting
|
||||
users to a phishing site designed to ask for user's passwords.
|
||||
|
||||
To remedy this, URL reversing now ensures that no URL starts with two slashes
|
||||
(//), replacing the second slash with its URL encoded counterpart (%2F). This
|
||||
approach ensures that semantics stay the same, while making the URL relative to
|
||||
the domain and not to the scheme.
|
||||
|
|
|
@ -6,6 +6,19 @@ Django 1.6.6 release notes
|
|||
|
||||
Django 1.6.6 fixes several security issues and bugs in 1.6.5.
|
||||
|
||||
:func:`~django.core.urlresolvers.reverse()` could generate URLs pointing to other hosts
|
||||
=======================================================================================
|
||||
|
||||
In certain situations, URL reversing could generate scheme-relative URLs (URLs
|
||||
starting with two slashes), which could unexpectedly redirect a user to a
|
||||
different host. An attacker could exploit this, for example, by redirecting
|
||||
users to a phishing site designed to ask for user's passwords.
|
||||
|
||||
To remedy this, URL reversing now ensures that no URL starts with two slashes
|
||||
(//), replacing the second slash with its URL encoded counterpart (%2F). This
|
||||
approach ensures that semantics stay the same, while making the URL relative to
|
||||
the domain and not to the scheme.
|
||||
|
||||
Bugfixes
|
||||
========
|
||||
|
||||
|
|
|
@ -151,6 +151,9 @@ test_data = (
|
|||
('defaults', '/defaults_view2/3/', [], {'arg1': 3, 'arg2': 2}),
|
||||
('defaults', NoReverseMatch, [], {'arg1': 3, 'arg2': 3}),
|
||||
('defaults', NoReverseMatch, [], {'arg2': 1}),
|
||||
|
||||
# Security tests
|
||||
('security', '/%2Fexample.com/security/', ['/example.com'], {}),
|
||||
)
|
||||
|
||||
|
||||
|
|
|
@ -66,4 +66,7 @@ urlpatterns = patterns('',
|
|||
(r'defaults_view2/(?P<arg1>\d+)/', 'defaults_view', {'arg2': 2}, 'defaults'),
|
||||
|
||||
url('^includes/', include(other_patterns)),
|
||||
|
||||
# Security tests
|
||||
url('(.+)/security/$', empty_view, name='security'),
|
||||
)
|
||||
|
|
Loading…
Reference in New Issue