diff options
| author | Florian Apolloner <florian@apolloner.eu> | 2012-07-30 22:03:46 +0200 |
|---|---|---|
| committer | Florian Apolloner <florian@apolloner.eu> | 2012-07-30 22:03:46 +0200 |
| commit | 4dea4883e6c50d75f215a6b9bcbd95273f57c72d (patch) | |
| tree | 524758103376e080755bd3271ba3ea97fce1c646 /django | |
| parent | b2eb4787a0fff9c9993b78be5c698e85108f3446 (diff) | |
[1.3.x] Fixed a security issue in http redirects. Disclosure and new release forthcoming.
Backport of 4129201c3e0fa057c198bdefcb34686a23b4a93c from master.
Diffstat (limited to 'django')
| -rw-r--r-- | django/http/__init__.py | 21 |
1 files changed, 12 insertions, 9 deletions
diff --git a/django/http/__init__.py b/django/http/__init__.py index 07e5a46797..74113b080a 100644 --- a/django/http/__init__.py +++ b/django/http/__init__.py @@ -4,7 +4,7 @@ import re import time from pprint import pformat from urllib import urlencode, quote -from urlparse import urljoin +from urlparse import urljoin, urlparse try: from cStringIO import StringIO except ImportError: @@ -117,6 +117,7 @@ class CompatCookie(SimpleCookie): warnings.warn("CompatCookie is deprecated, use django.http.SimpleCookie instead.", PendingDeprecationWarning) +from django.core.exceptions import SuspiciousOperation from django.utils.datastructures import MultiValueDict, ImmutableList from django.utils.encoding import smart_str, iri_to_uri, force_unicode from django.utils.http import cookie_date @@ -635,19 +636,21 @@ class HttpResponse(object): raise Exception("This %s instance cannot tell its position" % self.__class__) return sum([len(chunk) for chunk in self._container]) -class HttpResponseRedirect(HttpResponse): - status_code = 302 +class HttpResponseRedirectBase(HttpResponse): + allowed_schemes = ['http', 'https', 'ftp'] def __init__(self, redirect_to): - super(HttpResponseRedirect, self).__init__() + super(HttpResponseRedirectBase, self).__init__() + parsed = urlparse(redirect_to) + if parsed.scheme and parsed.scheme not in self.allowed_schemes: + raise SuspiciousOperation("Unsafe redirect to URL with scheme '%s'" % parsed.scheme) self['Location'] = iri_to_uri(redirect_to) -class HttpResponsePermanentRedirect(HttpResponse): - status_code = 301 +class HttpResponseRedirect(HttpResponseRedirectBase): + status_code = 302 - def __init__(self, redirect_to): - super(HttpResponsePermanentRedirect, self).__init__() - self['Location'] = iri_to_uri(redirect_to) +class HttpResponsePermanentRedirect(HttpResponseRedirectBase): + status_code = 301 class HttpResponseNotModified(HttpResponse): status_code = 304 |