From 79594b40c087c19fecc72af042c835b11a519b78 Mon Sep 17 00:00:00 2001 From: Jacob Kaplan-Moss Date: Tue, 13 Aug 2013 11:05:41 -0500 Subject: Fixed is_safe_url() to reject URLs that use a scheme other than HTTP/S. This is a security fix; disclosure to follow shortly. --- django/utils/http.py | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'django/utils') diff --git a/django/utils/http.py b/django/utils/http.py index 4647d89847..ffaf4e9657 100644 --- a/django/utils/http.py +++ b/django/utils/http.py @@ -253,11 +253,12 @@ def same_origin(url1, url2): def is_safe_url(url, host=None): """ Return ``True`` if the url is a safe redirection (i.e. it doesn't point to - a different host). + a different host and uses a safe scheme). Always returns ``False`` on an empty url. """ if not url: return False - netloc = urllib_parse.urlparse(url)[1] - return not netloc or netloc == host + url_info = urllib_parse.urlparse(url) + return (not url_info.netloc or url_info.netloc == host) and \ + (not url_info.scheme or url_info.scheme in ['http', 'https']) -- cgit v1.3