diff options
| author | Andreas Hug <andreas.hug@moccu.com> | 2018-07-24 16:18:17 -0400 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2018-07-31 10:37:29 -0400 |
| commit | 6fffc3c6d420e44f4029d5643f38d00a39b08525 (patch) | |
| tree | 31633bc12b5f6705f19e8e998773fceba820ab78 /django | |
| parent | af344691114e4a68334c30543bfb838996328212 (diff) | |
[2.0.x] Fixed CVE-2018-14574 -- Fixed open redirect possibility in CommonMiddleware.
Diffstat (limited to 'django')
| -rw-r--r-- | django/middleware/common.py | 3 | ||||
| -rw-r--r-- | django/urls/resolvers.py | 6 | ||||
| -rw-r--r-- | django/utils/http.py | 11 |
3 files changed, 16 insertions, 4 deletions
diff --git a/django/middleware/common.py b/django/middleware/common.py index d8cfb9a8b0..ea5e536655 100644 --- a/django/middleware/common.py +++ b/django/middleware/common.py @@ -11,6 +11,7 @@ from django.utils.cache import ( cc_delim_re, get_conditional_response, set_response_etag, ) from django.utils.deprecation import MiddlewareMixin, RemovedInDjango21Warning +from django.utils.http import escape_leading_slashes class CommonMiddleware(MiddlewareMixin): @@ -88,6 +89,8 @@ class CommonMiddleware(MiddlewareMixin): POST, PUT, or PATCH. """ new_path = request.get_full_path(force_append_slash=True) + # Prevent construction of scheme relative urls. + new_path = escape_leading_slashes(new_path) if settings.DEBUG and request.method in ('POST', 'PUT', 'PATCH'): raise RuntimeError( "You called this URL via %(method)s, but the URL doesn't end " diff --git a/django/urls/resolvers.py b/django/urls/resolvers.py index c5b0811136..f89fc5aba0 100644 --- a/django/urls/resolvers.py +++ b/django/urls/resolvers.py @@ -17,7 +17,7 @@ from django.core.checks.urls import check_resolver from django.core.exceptions import ImproperlyConfigured from django.utils.datastructures import MultiValueDict from django.utils.functional import cached_property -from django.utils.http import RFC3986_SUBDELIMS +from django.utils.http import RFC3986_SUBDELIMS, escape_leading_slashes from django.utils.regex_helper import normalize from django.utils.translation import get_language @@ -604,9 +604,7 @@ class URLResolver: # safe characters from `pchar` definition of RFC 3986 url = quote(candidate_pat % text_candidate_subs, safe=RFC3986_SUBDELIMS + '/~:@') # Don't allow construction of scheme relative urls. - if url.startswith('//'): - url = '/%%2F%s' % url[2:] - return url + return escape_leading_slashes(url) # lookup_view can be URL name or callable, but callables are not # friendly in error messages. m = getattr(lookup_view, '__module__', None) diff --git a/django/utils/http.py b/django/utils/http.py index 5e900506ff..fb51ca8bd0 100644 --- a/django/utils/http.py +++ b/django/utils/http.py @@ -437,3 +437,14 @@ def limited_parse_qsl(qs, keep_blank_values=False, encoding='utf-8', value = unquote(value, encoding=encoding, errors=errors) r.append((name, value)) return r + + +def escape_leading_slashes(url): + """ + If redirecting to an absolute path (two leading slashes), a slash must be + escaped to prevent browsers from handling the path as schemaless and + redirecting to another host. + """ + if url.startswith('//'): + url = '/%2F{}'.format(url[2:]) + return url |