diff options
| author | Mark Striemer <mstriemer@mozilla.com> | 2016-02-22 16:50:23 -0500 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2016-03-01 11:38:49 -0500 |
| commit | fc6d147a63f89795dbcdecb0559256470fff4380 (patch) | |
| tree | fa046fd6a8b3d199c5e27696c5cc0631043033f4 /django | |
| parent | 7e799217c5cf1ba365af41c801d5cfbadea18fa9 (diff) | |
[1.9.x] Fixed CVE-2016-2512 -- Prevented spoofing is_safe_url() with basic auth.
This is a security fix.
Diffstat (limited to 'django')
| -rw-r--r-- | django/utils/http.py | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/django/utils/http.py b/django/utils/http.py index 70bcbd90ac..fb18f48f77 100644 --- a/django/utils/http.py +++ b/django/utils/http.py @@ -290,8 +290,12 @@ def is_safe_url(url, host=None): url = url.strip() if not url: return False - # Chrome treats \ completely as / - url = url.replace('\\', '/') + # Chrome treats \ completely as / in paths but it could be part of some + # basic auth credentials so we need to check both URLs. + return _is_safe_url(url, host) and _is_safe_url(url.replace('\\', '/'), host) + + +def _is_safe_url(url, host): # Chrome considers any URL with more than two slashes to be absolute, but # urlparse is not so flexible. Treat any url with three slashes as unsafe. if url.startswith('///'): |
