diff options
| author | Tom Hacohen <tasn@users.noreply.github.com> | 2019-01-04 02:21:55 +0000 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2019-01-03 22:09:25 -0500 |
| commit | 1cd00fcf52d089ef0fe03beabd05d59df8ea052a (patch) | |
| tree | 46439a6356b26ef009283d89871370cec1e0949c /django | |
| parent | b683bb0c9fec43706e4117ef0d690ab4758d8af0 (diff) | |
[1.11.x] Fixed #30070, CVE-2019-3498 -- Fixed content spoofing possiblity in the default 404 page.
Co-Authored-By: Tim Graham <timograham@gmail.com>
Backport of 1ecc0a395be721e987e8e9fdfadde952b6dee1c7 from master.
Diffstat (limited to 'django')
| -rw-r--r-- | django/views/defaults.py | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/django/views/defaults.py b/django/views/defaults.py index 348837ed99..5ec9ac8e16 100644 --- a/django/views/defaults.py +++ b/django/views/defaults.py @@ -2,6 +2,7 @@ from django import http from django.template import Context, Engine, TemplateDoesNotExist, loader from django.utils import six from django.utils.encoding import force_text +from django.utils.http import urlquote from django.views.decorators.csrf import requires_csrf_token ERROR_404_TEMPLATE_NAME = '404.html' @@ -21,7 +22,8 @@ def page_not_found(request, exception, template_name=ERROR_404_TEMPLATE_NAME): Templates: :template:`404.html` Context: request_path - The path of the requested URL (e.g., '/app/pages/bad_page/') + The path of the requested URL (e.g., '/app/pages/bad_page/'). It's + quoted to prevent a content injection attack. exception The message from the exception which triggered the 404 (if one was supplied), or the exception class name @@ -37,7 +39,7 @@ def page_not_found(request, exception, template_name=ERROR_404_TEMPLATE_NAME): if isinstance(message, six.text_type): exception_repr = message context = { - 'request_path': request.path, + 'request_path': urlquote(request.path), 'exception': exception_repr, } try: @@ -50,7 +52,7 @@ def page_not_found(request, exception, template_name=ERROR_404_TEMPLATE_NAME): raise template = Engine().from_string( '<h1>Not Found</h1>' - '<p>The requested URL {{ request_path }} was not found on this server.</p>') + '<p>The requested resource was not found on this server.</p>') body = template.render(Context(context)) content_type = 'text/html' return http.HttpResponseNotFound(body, content_type=content_type) |