summaryrefslogtreecommitdiff
path: root/django
diff options
context:
space:
mode:
authorMark Striemer <mstriemer@mozilla.com>2016-02-22 16:50:23 -0500
committerTim Graham <timograham@gmail.com>2016-03-01 11:38:49 -0500
commitfc6d147a63f89795dbcdecb0559256470fff4380 (patch)
treefa046fd6a8b3d199c5e27696c5cc0631043033f4 /django
parent7e799217c5cf1ba365af41c801d5cfbadea18fa9 (diff)
[1.9.x] Fixed CVE-2016-2512 -- Prevented spoofing is_safe_url() with basic auth.
This is a security fix.
Diffstat (limited to 'django')
-rw-r--r--django/utils/http.py8
1 files changed, 6 insertions, 2 deletions
diff --git a/django/utils/http.py b/django/utils/http.py
index 70bcbd90ac..fb18f48f77 100644
--- a/django/utils/http.py
+++ b/django/utils/http.py
@@ -290,8 +290,12 @@ def is_safe_url(url, host=None):
url = url.strip()
if not url:
return False
- # Chrome treats \ completely as /
- url = url.replace('\\', '/')
+ # Chrome treats \ completely as / in paths but it could be part of some
+ # basic auth credentials so we need to check both URLs.
+ return _is_safe_url(url, host) and _is_safe_url(url.replace('\\', '/'), host)
+
+
+def _is_safe_url(url, host):
# Chrome considers any URL with more than two slashes to be absolute, but
# urlparse is not so flexible. Treat any url with three slashes as unsafe.
if url.startswith('///'):