diff options
| author | Florian Apolloner <florian@apolloner.eu> | 2012-07-30 22:01:50 +0200 |
|---|---|---|
| committer | Florian Apolloner <florian@apolloner.eu> | 2012-07-30 22:01:50 +0200 |
| commit | 4129201c3e0fa057c198bdefcb34686a23b4a93c (patch) | |
| tree | 58560ce54b9a1019a5ca67667bb1e87e051fc161 /django/http/__init__.py | |
| parent | b1d463468694f2e91fde67221b7996e9c52a9720 (diff) | |
Fixed a security issue in http redirects. Disclosure and new release forthcoming.
Diffstat (limited to 'django/http/__init__.py')
| -rw-r--r-- | django/http/__init__.py | 24 |
1 files changed, 13 insertions, 11 deletions
diff --git a/django/http/__init__.py b/django/http/__init__.py index 6f9d70eebd..19b581f5cb 100644 --- a/django/http/__init__.py +++ b/django/http/__init__.py @@ -11,10 +11,10 @@ import warnings from io import BytesIO from pprint import pformat try: - from urllib.parse import quote, parse_qsl, urlencode, urljoin + from urllib.parse import quote, parse_qsl, urlencode, urljoin, urlparse except ImportError: # Python 2 from urllib import quote, urlencode - from urlparse import parse_qsl, urljoin + from urlparse import parse_qsl, urljoin, urlparse from django.utils.six.moves import http_cookies # Some versions of Python 2.7 and later won't need this encoding bug fix: @@ -80,7 +80,7 @@ else: from django.conf import settings from django.core import signing -from django.core.exceptions import ImproperlyConfigured +from django.core.exceptions import ImproperlyConfigured, SuspiciousOperation from django.core.files import uploadhandler from django.http.multipartparser import MultiPartParser from django.http.utils import * @@ -689,20 +689,22 @@ class HttpResponse(object): raise Exception("This %s instance cannot tell its position" % self.__class__) return sum([len(chunk) for chunk in self]) -class HttpResponseRedirect(HttpResponse): - status_code = 302 +class HttpResponseRedirectBase(HttpResponse): + allowed_schemes = ['http', 'https', 'ftp'] def __init__(self, redirect_to): - super(HttpResponseRedirect, self).__init__() + parsed = urlparse(redirect_to) + if parsed.scheme and parsed.scheme not in self.allowed_schemes: + raise SuspiciousOperation("Unsafe redirect to URL with protocol '%s'" % parsed.scheme) + super(HttpResponseRedirectBase, self).__init__() self['Location'] = iri_to_uri(redirect_to) + +class HttpResponseRedirect(HttpResponseRedirectBase): + status_code = 302 -class HttpResponsePermanentRedirect(HttpResponse): +class HttpResponsePermanentRedirect(HttpResponseRedirectBase): status_code = 301 - def __init__(self, redirect_to): - super(HttpResponsePermanentRedirect, self).__init__() - self['Location'] = iri_to_uri(redirect_to) - class HttpResponseNotModified(HttpResponse): status_code = 304 |