From fc6d147a63f89795dbcdecb0559256470fff4380 Mon Sep 17 00:00:00 2001 From: Mark Striemer Date: Mon, 22 Feb 2016 16:50:23 -0500 Subject: [1.9.x] Fixed CVE-2016-2512 -- Prevented spoofing is_safe_url() with basic auth. This is a security fix. --- django/utils/http.py | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) (limited to 'django/utils') diff --git a/django/utils/http.py b/django/utils/http.py index 70bcbd90ac..fb18f48f77 100644 --- a/django/utils/http.py +++ b/django/utils/http.py @@ -290,8 +290,12 @@ def is_safe_url(url, host=None): url = url.strip() if not url: return False - # Chrome treats \ completely as / - url = url.replace('\\', '/') + # Chrome treats \ completely as / in paths but it could be part of some + # basic auth credentials so we need to check both URLs. + return _is_safe_url(url, host) and _is_safe_url(url.replace('\\', '/'), host) + + +def _is_safe_url(url, host): # Chrome considers any URL with more than two slashes to be absolute, but # urlparse is not so flexible. Treat any url with three slashes as unsafe. if url.startswith('///'): -- cgit v1.3