[2.0.x] Fixed CVE-2018-14574 -- Fixed open redirect possibility in CommonMiddleware.

author: Andreas Hug <andreas.hug@moccu.com> 2018-07-24 16:18:17 -0400
committer: Tim Graham <timograham@gmail.com> 2018-07-31 10:37:29 -0400
commit: 6fffc3c6d420e44f4029d5643f38d00a39b08525 (patch)
tree: 31633bc12b5f6705f19e8e998773fceba820ab78 /django/urls/resolvers.py
parent: af344691114e4a68334c30543bfb838996328212 (diff)
1 files changed, 2 insertions, 4 deletions
diff --git a/django/urls/resolvers.py b/django/urls/resolvers.py
index c5b0811136..f89fc5aba0 100644
--- a/django/urls/resolvers.py
+++ b/django/urls/resolvers.py
@@ -17,7 +17,7 @@ from django.core.checks.urls import check_resolver
 from django.core.exceptions import ImproperlyConfigured
 from django.utils.datastructures import MultiValueDict
 from django.utils.functional import cached_property
-from django.utils.http import RFC3986_SUBDELIMS
+from django.utils.http import RFC3986_SUBDELIMS, escape_leading_slashes
 from django.utils.regex_helper import normalize
 from django.utils.translation import get_language
 
@@ -604,9 +604,7 @@ class URLResolver:
                     # safe characters from `pchar` definition of RFC 3986
                     url = quote(candidate_pat % text_candidate_subs, safe=RFC3986_SUBDELIMS + '/~:@')
                     # Don't allow construction of scheme relative urls.
-                    if url.startswith('//'):
-                        url = '/%%2F%s' % url[2:]
-                    return url
+                    return escape_leading_slashes(url)
         # lookup_view can be URL name or callable, but callables are not
         # friendly in error messages.
         m = getattr(lookup_view, '__module__', None)
author	Andreas Hug <andreas.hug@moccu.com>	2018-07-24 16:18:17 -0400
committer	Tim Graham <timograham@gmail.com>	2018-07-31 10:37:29 -0400
commit	6fffc3c6d420e44f4029d5643f38d00a39b08525 (patch)
tree	31633bc12b5f6705f19e8e998773fceba820ab78 /django/urls/resolvers.py
parent	af344691114e4a68334c30543bfb838996328212 (diff)