Fixed CVE-2018-14574 -- Fixed open redirect possibility in CommonMiddleware.

author: Andreas Hug <andreas.hug@moccu.com> 2018-07-24 16:18:17 -0400
committer: Tim Graham <timograham@gmail.com> 2018-08-01 09:28:42 -0400
commit: a656a681272f8f3734b6eb38e9a88aa0d91806f1 (patch)
tree: 84b5b88a03bbee88e8a72912d5bfe29d6ccea7d2 /django/utils/http.py
parent: 7dbe7aa0b6f9d006800375cf5d8b71416869ce91 (diff)
1 files changed, 11 insertions, 0 deletions
diff --git a/django/utils/http.py b/django/utils/http.py
index caaab4f9e5..5a063a9956 100644
--- a/django/utils/http.py
+++ b/django/utils/http.py
@@ -435,3 +435,14 @@ def limited_parse_qsl(qs, keep_blank_values=False, encoding='utf-8',
             value = unquote(value, encoding=encoding, errors=errors)
             r.append((name, value))
     return r
+
+
+def escape_leading_slashes(url):
+    """
+    If redirecting to an absolute path (two leading slashes), a slash must be
+    escaped to prevent browsers from handling the path as schemaless and
+    redirecting to another host.
+    """
+    if url.startswith('//'):
+        url = '/%2F{}'.format(url[2:])
+    return url
author	Andreas Hug <andreas.hug@moccu.com>	2018-07-24 16:18:17 -0400
committer	Tim Graham <timograham@gmail.com>	2018-08-01 09:28:42 -0400
commit	a656a681272f8f3734b6eb38e9a88aa0d91806f1 (patch)
tree	84b5b88a03bbee88e8a72912d5bfe29d6ccea7d2 /django/utils/http.py
parent	7dbe7aa0b6f9d006800375cf5d8b71416869ce91 (diff)