From c4e5ff7fdb5fce447675e90291fd33fddd052b3c Mon Sep 17 00:00:00 2001 From: Andreas Hug Date: Tue, 24 Jul 2018 16:18:17 -0400 Subject: [2.1.x] Fixed CVE-2018-14574 -- Fixed open redirect possibility in CommonMiddleware. --- django/utils/http.py | 11 +++++++++++ 1 file changed, 11 insertions(+) (limited to 'django/utils') diff --git a/django/utils/http.py b/django/utils/http.py index 4558c6874a..e33ec7362b 100644 --- a/django/utils/http.py +++ b/django/utils/http.py @@ -433,3 +433,14 @@ def limited_parse_qsl(qs, keep_blank_values=False, encoding='utf-8', value = unquote(value, encoding=encoding, errors=errors) r.append((name, value)) return r + + +def escape_leading_slashes(url): + """ + If redirecting to an absolute path (two leading slashes), a slash must be + escaped to prevent browsers from handling the path as schemaless and + redirecting to another host. + """ + if url.startswith('//'): + url = '/%2F{}'.format(url[2:]) + return url -- cgit v1.3