Bug 997121 - python-django: potential XSS via is_safe_url
Summary: python-django: potential XSS via is_safe_url
Keywords:
Status: CLOSED DUPLICATE of bug 1016394
Alias: None
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 997126 997127 997128
Blocks: 997123
TreeView+ depends on / blocked
 
Reported: 2013-08-14 17:53 UTC by Vincent Danen
Modified: 2019-09-29 13:07 UTC (History)
19 users (show)

Fixed In Version: Django 1.4.6, Django 1.5.2
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-05-30 04:40:20 UTC


Attachments (Terms of Use)

Description Vincent Danen 2013-08-14 17:53:23 UTC
Django 1.4.6 and 1.5.2 were released to correct the following security flaw:

A common pattern in Django applications is for a view to accept, via querystring parameter, a URL to redirect to upon successful completion of the view's processing. This pattern is used in code bundled with Django itself; for example, the login view in django.contrib.auth.views, which accepts such a parameter to determine where to send a user following successful login.

A utility function -- django.utils.http.is_safe_url() -- is provided and used to validate that this URL is on the current host (either via fully-qualified or relative URL), so as to avoid potentially dangerous redirects from maliciously-constructed querystrings.

The is_safe_url() function works as intended for HTTP and HTTPS URLs, but due to the manner in which it parses the URL, will permit redirects to other schemes, such as javascript:. While the Django project is unaware of any demonstrated ability to perform cross-site scripting attacks via this mechanism, the potential for such is sufficient to trigger a security response.

To remedy this issue, the is_safe_url() function has been modified to properly recognize and reject URLs which specify a scheme other than HTTP or HTTPS.

The upstream patches are here:
https://github.com/django/django/commit/1a274ccd6bc1afbdac80344c9b6e5810c1162b5f (1.5)
https://github.com/django/django/commit/ec67af0bd609c412b76eaa4cc89968a2a8e5ad6a (1.4)


External References:

https://www.djangoproject.com/weblog/2013/aug/13/security-releases-issued/

Comment 1 Vincent Danen 2013-08-14 17:58:55 UTC
Created Django14 tracking bugs for this issue:

Affects: epel-6 [bug 997128]

Comment 2 Vincent Danen 2013-08-14 17:59:21 UTC
Created python-django14 tracking bugs for this issue:

Affects: fedora-19 [bug 997127]

Comment 3 Vincent Danen 2013-08-14 17:59:30 UTC
Created python-django tracking bugs for this issue:

Affects: fedora-all [bug 997126]

Comment 4 Vincent Danen 2013-08-19 15:49:32 UTC
This issue didn't get a CVE name as of yet as it's being possibly considered as a hardening, rather than fixing a flaw.

http://www.openwall.com/lists/oss-security/2013/08/19/2

Comment 5 Matthias Runge 2013-09-06 10:15:23 UTC
all dependeing bugs were fixed, so closing.

Comment 6 Tomas Hoger 2013-09-06 12:42:40 UTC
Not to be closed yet.

Comment 7 Kurt Seifried 2014-05-30 04:40:20 UTC
Ratul filed this as 1016394 which we referenced in errata so closing this one.

*** This bug has been marked as a duplicate of bug 1016394 ***


Note You need to log in before you can comment on or make changes to this bug.