[2.1.x] Fixed CVE-2018-14574 -- Fixed open redirect possibility in CommonMiddleware.

author: Andreas Hug <andreas.hug@moccu.com> 2018-07-24 16:18:17 -0400
committer: Tim Graham <timograham@gmail.com> 2018-08-01 09:35:09 -0400
commit: c4e5ff7fdb5fce447675e90291fd33fddd052b3c (patch)
tree: b1c98d1ece0565e0cdb66907d9d9e9e5e2e17cad /django/utils/http.py
parent: b3234256616b0a6c8195715cbd8c850cee2cc064 (diff)
1 files changed, 11 insertions, 0 deletions
diff --git a/django/utils/http.py b/django/utils/http.py
index 4558c6874a..e33ec7362b 100644
--- a/django/utils/http.py
+++ b/django/utils/http.py
@@ -433,3 +433,14 @@ def limited_parse_qsl(qs, keep_blank_values=False, encoding='utf-8',
             value = unquote(value, encoding=encoding, errors=errors)
             r.append((name, value))
     return r
+
+
+def escape_leading_slashes(url):
+    """
+    If redirecting to an absolute path (two leading slashes), a slash must be
+    escaped to prevent browsers from handling the path as schemaless and
+    redirecting to another host.
+    """
+    if url.startswith('//'):
+        url = '/%2F{}'.format(url[2:])
+    return url
author	Andreas Hug <andreas.hug@moccu.com>	2018-07-24 16:18:17 -0400
committer	Tim Graham <timograham@gmail.com>	2018-08-01 09:35:09 -0400
commit	c4e5ff7fdb5fce447675e90291fd33fddd052b3c (patch)
tree	b1c98d1ece0565e0cdb66907d9d9e9e5e2e17cad /django/utils/http.py
parent	b3234256616b0a6c8195715cbd8c850cee2cc064 (diff)