diff options
| author | Andreas Hug <andreas.hug@moccu.com> | 2018-07-24 16:18:17 -0400 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2018-08-01 09:35:09 -0400 |
| commit | c4e5ff7fdb5fce447675e90291fd33fddd052b3c (patch) | |
| tree | b1c98d1ece0565e0cdb66907d9d9e9e5e2e17cad /django | |
| parent | b3234256616b0a6c8195715cbd8c850cee2cc064 (diff) | |
[2.1.x] Fixed CVE-2018-14574 -- Fixed open redirect possibility in CommonMiddleware.
Diffstat (limited to 'django')
| -rw-r--r-- | django/middleware/common.py | 3 | ||||
| -rw-r--r-- | django/urls/resolvers.py | 6 | ||||
| -rw-r--r-- | django/utils/http.py | 11 |
3 files changed, 16 insertions, 4 deletions
diff --git a/django/middleware/common.py b/django/middleware/common.py index bea3f7448a..a18fbe7b47 100644 --- a/django/middleware/common.py +++ b/django/middleware/common.py @@ -7,6 +7,7 @@ from django.core.mail import mail_managers from django.http import HttpResponsePermanentRedirect from django.urls import is_valid_path from django.utils.deprecation import MiddlewareMixin +from django.utils.http import escape_leading_slashes class CommonMiddleware(MiddlewareMixin): @@ -79,6 +80,8 @@ class CommonMiddleware(MiddlewareMixin): POST, PUT, or PATCH. """ new_path = request.get_full_path(force_append_slash=True) + # Prevent construction of scheme relative urls. + new_path = escape_leading_slashes(new_path) if settings.DEBUG and request.method in ('POST', 'PUT', 'PATCH'): raise RuntimeError( "You called this URL via %(method)s, but the URL doesn't end " diff --git a/django/urls/resolvers.py b/django/urls/resolvers.py index ce8c7ffa32..5bfab0c067 100644 --- a/django/urls/resolvers.py +++ b/django/urls/resolvers.py @@ -17,7 +17,7 @@ from django.core.checks.urls import check_resolver from django.core.exceptions import ImproperlyConfigured from django.utils.datastructures import MultiValueDict from django.utils.functional import cached_property -from django.utils.http import RFC3986_SUBDELIMS +from django.utils.http import RFC3986_SUBDELIMS, escape_leading_slashes from django.utils.regex_helper import normalize from django.utils.translation import get_language @@ -592,9 +592,7 @@ class URLResolver: # safe characters from `pchar` definition of RFC 3986 url = quote(candidate_pat % text_candidate_subs, safe=RFC3986_SUBDELIMS + '/~:@') # Don't allow construction of scheme relative urls. - if url.startswith('//'): - url = '/%%2F%s' % url[2:] - return url + return escape_leading_slashes(url) # lookup_view can be URL name or callable, but callables are not # friendly in error messages. m = getattr(lookup_view, '__module__', None) diff --git a/django/utils/http.py b/django/utils/http.py index 4558c6874a..e33ec7362b 100644 --- a/django/utils/http.py +++ b/django/utils/http.py @@ -433,3 +433,14 @@ def limited_parse_qsl(qs, keep_blank_values=False, encoding='utf-8', value = unquote(value, encoding=encoding, errors=errors) r.append((name, value)) return r + + +def escape_leading_slashes(url): + """ + If redirecting to an absolute path (two leading slashes), a slash must be + escaped to prevent browsers from handling the path as schemaless and + redirecting to another host. + """ + if url.startswith('//'): + url = '/%2F{}'.format(url[2:]) + return url |