[1.11.x] Fixed #27912, CVE-2017-7233 -- Fixed is_safe_url() with numeric URLs.

This is a security fix.

3 files changed, 36 insertions, 0 deletions

diff --git a/docs/releases/1.10.7.txt b/docs/releases/1.10.7.txt
index 0c79347cc3..c5caa65143 100644
--- a/docs/releases/1.10.7.txt
+++ b/docs/releases/1.10.7.txt
@@ -6,6 +6,18 @@ Django 1.10.7 release notes
 
 Django 1.10.7 fixes two security issues and a bug in 1.10.6.
 
+CVE-2017-7233: Open redirect and possible XSS attack via user-supplied numeric redirect URLs
+============================================================================================
+
+Django relies on user input in some cases  (e.g.
+:func:`django.contrib.auth.views.login` and :doc:`i18n </topics/i18n/index>`)
+to redirect the user to an "on success" URL. The security check for these
+redirects (namely ``django.utils.http.is_safe_url()``) considered some numeric
+URLs (e.g. ``http:999999999``) "safe" when they shouldn't be.
+
+Also, if a developer relies on ``is_safe_url()`` to provide safe redirect
+targets and puts such a URL into a link, they could suffer from an XSS attack.
+
 CVE-2017-7234: Open redirect vulnerability in ``django.views.static.serve()``
 =============================================================================
 
diff --git a/docs/releases/1.8.18.txt b/docs/releases/1.8.18.txt
index 7b1e08046c..f41c7d080f 100644
--- a/docs/releases/1.8.18.txt
+++ b/docs/releases/1.8.18.txt
@@ -6,6 +6,18 @@ Django 1.8.18 release notes
 
 Django 1.8.18 fixes two security issues in 1.8.17.
 
+CVE-2017-7233: Open redirect and possible XSS attack via user-supplied numeric redirect URLs
+============================================================================================
+
+Django relies on user input in some cases  (e.g.
+:func:`django.contrib.auth.views.login` and :doc:`i18n </topics/i18n/index>`)
+to redirect the user to an "on success" URL. The security check for these
+redirects (namely ``django.utils.http.is_safe_url()``) considered some numeric
+URLs (e.g. ``http:999999999``) "safe" when they shouldn't be.
+
+Also, if a developer relies on ``is_safe_url()`` to provide safe redirect
+targets and puts such a URL into a link, they could suffer from an XSS attack.
+
 CVE-2017-7234: Open redirect vulnerability in ``django.views.static.serve()``
 =============================================================================
 
diff --git a/docs/releases/1.9.13.txt b/docs/releases/1.9.13.txt
index f9d203eafe..4828096da9 100644
--- a/docs/releases/1.9.13.txt
+++ b/docs/releases/1.9.13.txt
@@ -7,6 +7,18 @@ Django 1.9.13 release notes
 Django 1.9.13 fixes two security issues and a bug in 1.9.12. This is the final
 release of the 1.9.x series.
 
+CVE-2017-7233: Open redirect and possible XSS attack via user-supplied numeric redirect URLs
+============================================================================================
+
+Django relies on user input in some cases  (e.g.
+:func:`django.contrib.auth.views.login` and :doc:`i18n </topics/i18n/index>`)
+to redirect the user to an "on success" URL. The security check for these
+redirects (namely ``django.utils.http.is_safe_url()``) considered some numeric
+URLs (e.g. ``http:999999999``) "safe" when they shouldn't be.
+
+Also, if a developer relies on ``is_safe_url()`` to provide safe redirect
+targets and puts such a URL into a link, they could suffer from an XSS attack.
+
 CVE-2017-7234: Open redirect vulnerability in ``django.views.static.serve()``
 =============================================================================