[1.11.x] Fixed CVE-2018-14574 -- Fixed open redirect possibility in CommonMiddleware.

3 files changed, 18 insertions, 4 deletions

diff --git a/django/middleware/common.py b/django/middleware/common.py
index d18d23fa43..fff46ba552 100644
--- a/django/middleware/common.py
+++ b/django/middleware/common.py
@@ -11,6 +11,7 @@ from django.utils.cache import (
 )
 from django.utils.deprecation import MiddlewareMixin, RemovedInDjango21Warning
 from django.utils.encoding import force_text
+from django.utils.http import escape_leading_slashes
 from django.utils.six.moves.urllib.parse import urlparse
 
 
@@ -90,6 +91,8 @@ class CommonMiddleware(MiddlewareMixin):
         POST, PUT, or PATCH.
         """
         new_path = request.get_full_path(force_append_slash=True)
+        # Prevent construction of scheme relative urls.
+        new_path = escape_leading_slashes(new_path)
         if settings.DEBUG and request.method in ('POST', 'PUT', 'PATCH'):
             raise RuntimeError(
                 "You called this URL via %(method)s, but the URL doesn't end "
diff --git a/django/urls/resolvers.py b/django/urls/resolvers.py
index 1de59a8763..25e9ae8276 100644
--- a/django/urls/resolvers.py
+++ b/django/urls/resolvers.py
@@ -20,7 +20,9 @@ from django.utils import lru_cache, six
 from django.utils.datastructures import MultiValueDict
 from django.utils.encoding import force_str, force_text
 from django.utils.functional import cached_property
-from django.utils.http import RFC3986_SUBDELIMS, urlquote
+from django.utils.http import (
+    RFC3986_SUBDELIMS, escape_leading_slashes, urlquote,
+)
 from django.utils.regex_helper import normalize
 from django.utils.translation import get_language
 
@@ -465,9 +467,7 @@ class RegexURLResolver(LocaleRegexProvider):
                     # safe characters from `pchar` definition of RFC 3986
                     url = urlquote(candidate_pat % candidate_subs, safe=RFC3986_SUBDELIMS + str('/~:@'))
                     # Don't allow construction of scheme relative urls.
-                    if url.startswith('//'):
-                        url = '/%%2F%s' % url[2:]
-                    return url
+                    return escape_leading_slashes(url)
         # lookup_view can be URL name or callable, but callables are not
         # friendly in error messages.
         m = getattr(lookup_view, '__module__', None)
diff --git a/django/utils/http.py b/django/utils/http.py
index 1fbc11b6fb..644d4d09fd 100644
--- a/django/utils/http.py
+++ b/django/utils/http.py
@@ -466,3 +466,14 @@ def limited_parse_qsl(qs, keep_blank_values=False, encoding='utf-8',
                 value = unquote(nv[1].replace(b'+', b' '))
             r.append((name, value))
     return r
+
+
+def escape_leading_slashes(url):
+    """
+    If redirecting to an absolute path (two leading slashes), a slash must be
+    escaped to prevent browsers from handling the path as schemaless and
+    redirecting to another host.
+    """
+    if url.startswith('//'):
+        url = '/%2F{}'.format(url[2:])
+    return url