diff options
| author | Florian Apolloner <florian@apolloner.eu> | 2014-07-17 21:59:28 +0200 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2014-08-20 11:43:43 -0400 |
| commit | da051da8df5e69944745072611351d4cfc6435d5 (patch) | |
| tree | 4a491f8a733a636f91b62b1d45d13deed9da42b1 /django | |
| parent | 52b878d805c2dc810ddc1ea5493bb7b86455eacc (diff) | |
[1.6.x] Prevented reverse() from generating URLs pointing to other hosts.
This is a security fix. Disclosure following shortly.
Diffstat (limited to 'django')
| -rw-r--r-- | django/core/urlresolvers.py | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/django/core/urlresolvers.py b/django/core/urlresolvers.py index b3008e88c4..4f251ab4ce 100644 --- a/django/core/urlresolvers.py +++ b/django/core/urlresolvers.py @@ -435,7 +435,11 @@ class RegexURLResolver(LocaleRegexProvider): candidate_pat = prefix_norm.replace('%', '%%') + result if re.search('^%s%s' % (prefix_norm, pattern), candidate_pat % candidate_subs, re.UNICODE): candidate_subs = dict((k, urlquote(v)) for (k, v) in candidate_subs.items()) - return candidate_pat % candidate_subs + url = candidate_pat % candidate_subs + # Don't allow construction of scheme relative urls. + if url.startswith('//'): + url = '/%%2F%s' % url[2:] + return url # lookup_view can be URL label, or dotted path, or callable, Any of # these can be passed in at the top, but callables are not friendly in # error messages. |