summaryrefslogtreecommitdiff
path: root/django/urls/resolvers.py
diff options
context:
space:
mode:
authorAndreas Hug <andreas.hug@moccu.com>2018-07-24 16:18:17 -0400
committerTim Graham <timograham@gmail.com>2018-08-01 09:35:09 -0400
commitc4e5ff7fdb5fce447675e90291fd33fddd052b3c (patch)
treeb1c98d1ece0565e0cdb66907d9d9e9e5e2e17cad /django/urls/resolvers.py
parentb3234256616b0a6c8195715cbd8c850cee2cc064 (diff)
[2.1.x] Fixed CVE-2018-14574 -- Fixed open redirect possibility in CommonMiddleware.
Diffstat (limited to 'django/urls/resolvers.py')
-rw-r--r--django/urls/resolvers.py6
1 files changed, 2 insertions, 4 deletions
diff --git a/django/urls/resolvers.py b/django/urls/resolvers.py
index ce8c7ffa32..5bfab0c067 100644
--- a/django/urls/resolvers.py
+++ b/django/urls/resolvers.py
@@ -17,7 +17,7 @@ from django.core.checks.urls import check_resolver
from django.core.exceptions import ImproperlyConfigured
from django.utils.datastructures import MultiValueDict
from django.utils.functional import cached_property
-from django.utils.http import RFC3986_SUBDELIMS
+from django.utils.http import RFC3986_SUBDELIMS, escape_leading_slashes
from django.utils.regex_helper import normalize
from django.utils.translation import get_language
@@ -592,9 +592,7 @@ class URLResolver:
# safe characters from `pchar` definition of RFC 3986
url = quote(candidate_pat % text_candidate_subs, safe=RFC3986_SUBDELIMS + '/~:@')
# Don't allow construction of scheme relative urls.
- if url.startswith('//'):
- url = '/%%2F%s' % url[2:]
- return url
+ return escape_leading_slashes(url)
# lookup_view can be URL name or callable, but callables are not
# friendly in error messages.
m = getattr(lookup_view, '__module__', None)
generated by cgit v1.3 (git 2.53.0) at 2026-05-02 06:26:03 +0000