diff options
| author | Andreas Hug <andreas.hug@moccu.com> | 2018-07-24 16:18:17 -0400 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2018-07-31 10:37:29 -0400 |
| commit | 6fffc3c6d420e44f4029d5643f38d00a39b08525 (patch) | |
| tree | 31633bc12b5f6705f19e8e998773fceba820ab78 /django/utils | |
| parent | af344691114e4a68334c30543bfb838996328212 (diff) | |
[2.0.x] Fixed CVE-2018-14574 -- Fixed open redirect possibility in CommonMiddleware.
Diffstat (limited to 'django/utils')
| -rw-r--r-- | django/utils/http.py | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/django/utils/http.py b/django/utils/http.py index 5e900506ff..fb51ca8bd0 100644 --- a/django/utils/http.py +++ b/django/utils/http.py @@ -437,3 +437,14 @@ def limited_parse_qsl(qs, keep_blank_values=False, encoding='utf-8', value = unquote(value, encoding=encoding, errors=errors) r.append((name, value)) return r + + +def escape_leading_slashes(url): + """ + If redirecting to an absolute path (two leading slashes), a slash must be + escaped to prevent browsers from handling the path as schemaless and + redirecting to another host. + """ + if url.startswith('//'): + url = '/%2F{}'.format(url[2:]) + return url |