diff options
| author | Jacob Kaplan-Moss <jacob@jacobian.org> | 2013-08-13 11:05:41 -0500 |
|---|---|---|
| committer | Jacob Kaplan-Moss <jacob@jacobian.org> | 2013-08-13 11:05:41 -0500 |
| commit | 79594b40c087c19fecc72af042c835b11a519b78 (patch) | |
| tree | 4b12252c9056e2f8036156afd65170805d25328c /django/utils | |
| parent | 4f470f5186d4c61a4b1c95bb9346d03b7c2f3aca (diff) | |
Fixed is_safe_url() to reject URLs that use a scheme other than HTTP/S.
This is a security fix; disclosure to follow shortly.
Diffstat (limited to 'django/utils')
| -rw-r--r-- | django/utils/http.py | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/django/utils/http.py b/django/utils/http.py index 4647d89847..ffaf4e9657 100644 --- a/django/utils/http.py +++ b/django/utils/http.py @@ -253,11 +253,12 @@ def same_origin(url1, url2): def is_safe_url(url, host=None): """ Return ``True`` if the url is a safe redirection (i.e. it doesn't point to - a different host). + a different host and uses a safe scheme). Always returns ``False`` on an empty url. """ if not url: return False - netloc = urllib_parse.urlparse(url)[1] - return not netloc or netloc == host + url_info = urllib_parse.urlparse(url) + return (not url_info.netloc or url_info.netloc == host) and \ + (not url_info.scheme or url_info.scheme in ['http', 'https']) |
