summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorFlorian Apolloner <florian@apolloner.eu>2014-07-17 21:59:28 +0200
committerTim Graham <timograham@gmail.com>2014-08-20 11:44:02 -0400
commit45ac9d4fb087d21902469fc22643f5201d41a0cd (patch)
tree5492e6b1729fa8d254344af5046fcd6b7cb1014f
parent25d9ae5214b59f06f385190733914eaa459751ff (diff)
[1.5.x] Prevented reverse() from generating URLs pointing to other hosts.
This is a security fix. Disclosure following shortly.
-rw-r--r--django/core/urlresolvers.py2
-rw-r--r--docs/releases/1.4.14.txt13
-rw-r--r--docs/releases/1.5.9.txt13
-rw-r--r--tests/regressiontests/urlpatterns_reverse/tests.py3
-rw-r--r--tests/regressiontests/urlpatterns_reverse/urls.py3
5 files changed, 34 insertions, 0 deletions
diff --git a/django/core/urlresolvers.py b/django/core/urlresolvers.py
index 3e314e282e..aab2cf62db 100644
--- a/django/core/urlresolvers.py
+++ b/django/core/urlresolvers.py
@@ -426,6 +426,8 @@ class RegexURLResolver(LocaleRegexProvider):
unicode_kwargs = dict([(k, force_text(v)) for (k, v) in kwargs.items()])
candidate = (prefix_norm.replace('%', '%%') + result) % unicode_kwargs
if re.search('^%s%s' % (prefix_norm, pattern), candidate, re.UNICODE):
+ if candidate.startswith('//'):
+ candidate = '/%%2F%s' % candidate[2:]
return candidate
# lookup_view can be URL label, or dotted path, or callable, Any of
# these can be passed in at the top, but callables are not friendly in
diff --git a/docs/releases/1.4.14.txt b/docs/releases/1.4.14.txt
index d0032e5399..28390c96a4 100644
--- a/docs/releases/1.4.14.txt
+++ b/docs/releases/1.4.14.txt
@@ -5,3 +5,16 @@ Django 1.4.14 release notes
*Under development*
Django 1.4.14 fixes several security issues in 1.4.13.
+
+:func:`~django.core.urlresolvers.reverse()` could generate URLs pointing to other hosts
+=======================================================================================
+
+In certain situations, URL reversing could generate scheme-relative URLs (URLs
+starting with two slashes), which could unexpectedly redirect a user to a
+different host. An attacker could exploit this, for example, by redirecting
+users to a phishing site designed to ask for user's passwords.
+
+To remedy this, URL reversing now ensures that no URL starts with two slashes
+(//), replacing the second slash with its URL encoded counterpart (%2F). This
+approach ensures that semantics stay the same, while making the URL relative to
+the domain and not to the scheme.
diff --git a/docs/releases/1.5.9.txt b/docs/releases/1.5.9.txt
index 4a5233a1fd..12b5b5f806 100644
--- a/docs/releases/1.5.9.txt
+++ b/docs/releases/1.5.9.txt
@@ -5,3 +5,16 @@ Django 1.5.9 release notes
*Under development*
Django 1.5.9 fixes several security issues in 1.5.8.
+
+:func:`~django.core.urlresolvers.reverse()` could generate URLs pointing to other hosts
+=======================================================================================
+
+In certain situations, URL reversing could generate scheme-relative URLs (URLs
+starting with two slashes), which could unexpectedly redirect a user to a
+different host. An attacker could exploit this, for example, by redirecting
+users to a phishing site designed to ask for user's passwords.
+
+To remedy this, URL reversing now ensures that no URL starts with two slashes
+(//), replacing the second slash with its URL encoded counterpart (%2F). This
+approach ensures that semantics stay the same, while making the URL relative to
+the domain and not to the scheme.
diff --git a/tests/regressiontests/urlpatterns_reverse/tests.py b/tests/regressiontests/urlpatterns_reverse/tests.py
index e3e14b3d7c..a7c8bccdf5 100644
--- a/tests/regressiontests/urlpatterns_reverse/tests.py
+++ b/tests/regressiontests/urlpatterns_reverse/tests.py
@@ -143,6 +143,9 @@ test_data = (
('defaults', '/defaults_view2/3/', [], {'arg1': 3, 'arg2': 2}),
('defaults', NoReverseMatch, [], {'arg1': 3, 'arg2': 3}),
('defaults', NoReverseMatch, [], {'arg2': 1}),
+
+ # Security tests
+ ('security', '/%2Fexample.com/security/', ['/example.com'], {}),
)
class NoURLPatternsTests(TestCase):
diff --git a/tests/regressiontests/urlpatterns_reverse/urls.py b/tests/regressiontests/urlpatterns_reverse/urls.py
index 7aae7c4691..0d3f8c3ed5 100644
--- a/tests/regressiontests/urlpatterns_reverse/urls.py
+++ b/tests/regressiontests/urlpatterns_reverse/urls.py
@@ -71,4 +71,7 @@ urlpatterns = patterns('',
(r'defaults_view2/(?P<arg1>\d+)/', 'defaults_view', {'arg2': 2}, 'defaults'),
url('^includes/', include(other_patterns)),
+
+ # Security tests
+ url('(.+)/security/$', empty_view, name='security'),
)