8000 [1.7.x] Prevented reverse() from generating URLs pointing to other ho… · django/django@bf650a2 · GitHub
[go: up one dir, main page]
Skip to content

Commit bf650a2

Browse files
apollo13timgraham
apollo13
authored and
timgraham
committed
[1.7.x] Prevented reverse() from generating URLs pointing to other hosts.
This is a security fix. Disclosure following shortly.
1 parent 1c00c38 commit bf650a2

File tree

6 files changed

+50
-1
lines changed

6 files changed

+50
-1
lines changed

django/core/urlresolvers.py

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -442,7 +442,11 @@ def _reverse_with_prefix(self, lookup_view, _prefix, *args, **kwargs):
442442
candidate_pat = prefix_norm.replace('%', '%%') + result
443443
if re.search('^%s%s' % (prefix_norm, pattern), candidate_pat % candidate_subs, re.UNICODE):
444444
candidate_subs = dict((k, urlquote(v)) for (k, v) in candidate_subs.items())
445-
return candidate_pat % candidate_subs
< 10BC0 /td>445+
url = candidate_pat % candidate_subs
446+
# Don't allow construction of scheme relative urls.
447+
if url.startswith('//'):
448+
url = '/%%2F%s' % url[2:]
449+
return url
446450
# lookup_view can be URL label, or dotted path, or callable, Any of
447451
# these can be passed in at the top, but callables are not friendly in
448452
# error messages.

docs/releases/1.4.14.txt

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,3 +5,16 @@ Django 1.4.14 release notes
55
*Under development*
66

77
Django 1.4.14 fixes several security issues in 1.4.13.
8+
9+
:func:`~django.core.urlresolvers.reverse()` could generate URLs pointing to other hosts
10+
=======================================================================================
11+
12+
In certain situations, URL reversing could generate scheme-relative URLs (URLs
13+
starting with two slashes), which could unexpectedly redirect a user to a
14+
different host. An attacker could exploit this, for example, by redirecting
15+
users to a phishing site designed to ask for user's passwords.
16+
17+
To remedy this, URL reversing now ensures that no URL starts with two slashes
18+
(//), replacing the second slash with its URL encoded counterpart (%2F). This
19+
approach ensures that semantics stay the same, while making the URL relative to
20+
the domain and not to the scheme.

docs/releases/1.5.9.txt

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,3 +5,16 @@ Django 1.5.9 release notes
55
*Under development*
66

77
Django 1.5.9 fixes several security issues in 1.5.8.
8+
9+
:func:`~django.core.urlresolvers.reverse()` could generate URLs pointing to other hosts
10+
=======================================================================================
11+
12+
In certain situations, URL reversing could generate scheme-relative URLs (URLs
13+
starting with two slashes), which could unexpectedly redirect a user to a
14+
different host. An attacker could exploit this, for example, by redirecting
15+
users to a phishing site designed to ask for user's passwords.
16+
17+
To remedy this, URL reversing now ensures that no URL starts with two slashes
18+
(//), replacing the second slash with its URL encoded counterpart (%2F). This
19+
approach ensures that semantics stay the same, while making the URL relative to
20+
the domain and not to the scheme.

docs/releases/1.6.6.txt

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,19 @@ Django 1.6.6 release notes
66

77
Django 1.6.6 fixes several security issues and bugs in 1.6.5.
88

9+
:func:`~django.core.urlresolvers.reverse()` could generate URLs pointing to other hosts
10+
=======================================================================================
11+
12+
In certain situations, URL reversing could generate scheme-relative URLs (URLs
13+
starting with two slashes), which could unexpectedly redirect a user to a
14+
different host. An attacker could exploit this, for example, by redirecting
15+
users to a phishing site designed to ask for user's passwords.
16+
17+
To remedy this, URL reversing now ensures that no URL starts with two slashes
18+
(//), replacing the second slash with its URL encoded counterpart (%2F). This
19+
approach ensures that semantics stay the same, while making the URL relative to
20+
the domain and not to the scheme.
21+
922
Bugfixes
1023
========
1124

tests/urlpatterns_reverse/tests.py

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -151,6 +151,9 @@
151151
('defaults', '/defaults_view2/3/', [], {'arg1': 3, 'arg2': 2}),
152152
('defaults', NoReverseMatch, [], {'arg1': 3, 'arg2': 3}),
153153
('defaults', NoReverseMatch, [], {'arg2': 1}),
154+
155+
# Security tests
156+
('security', '/%2Fexample.com/security/', ['/example.com'], {}),
154157
)
155158

156159

tests/urlpatterns_reverse/urls.py

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -66,4 +66,7 @@
6666
(r'defaults_view2/(?P<arg1>\d+)/', 'defaults_view', {'arg2': 2}, 'defaults'),
6767

6868
url('^includes/', include(other_patterns)),
69+
70+
# Security tests
71+
url('(.+)/security/$', empty_view, name='security'),
6972
)

0 commit comments

Comments
 (0)
0