Bug 997121 - python-django: potential XSS via is_safe_url
python-django: potential XSS via is_safe_url
Status: CLOSED DUPLICATE of bug 1016394
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20130813,repor...
: Reopened, Security
Depends On: 997126 997127 997128
Blocks: 997123
  Show dependency treegraph
 
Reported: 2013-08-14 13:53 EDT by Vincent Danen
Modified: 2016-04-26 12:24 EDT (History)
19 users (show)

See Also:
Fixed In Version: Django 1.4.6, Django 1.5.2
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-05-30 00:40:20 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2013-08-14 13:53:23 EDT
Django 1.4.6 and 1.5.2 were released to correct the following security flaw:

A common pattern in Django applications is for a view to accept, via querystring parameter, a URL to redirect to upon successful completion of the view's processing. This pattern is used in code bundled with Django itself; for example, the login view in django.contrib.auth.views, which accepts such a parameter to determine where to send a user following successful login.

A utility function -- django.utils.http.is_safe_url() -- is provided and used to validate that this URL is on the current host (either via fully-qualified or relative URL), so as to avoid potentially dangerous redirects from maliciously-constructed querystrings.

The is_safe_url() function works as intended for HTTP and HTTPS URLs, but due to the manner in which it parses the URL, will permit redirects to other schemes, such as javascript:. While the Django project is unaware of any demonstrated ability to perform cross-site scripting attacks via this mechanism, the potential for such is sufficient to trigger a security response.

To remedy this issue, the is_safe_url() function has been modified to properly recognize and reject URLs which specify a scheme other than HTTP or HTTPS.

The upstream patches are here:
https://github.com/django/django/commit/1a274ccd6bc1afbdac80344c9b6e5810c1162b5f (1.5)
https://github.com/django/django/commit/ec67af0bd609c412b76eaa4cc89968a2a8e5ad6a (1.4)


External References:

https://www.djangoproject.com/weblog/2013/aug/13/security-releases-issued/
Comment 1 Vincent Danen 2013-08-14 13:58:55 EDT
Created Django14 tracking bugs for this issue:

Affects: epel-6 [bug 997128]
Comment 2 Vincent Danen 2013-08-14 13:59:21 EDT
Created python-django14 tracking bugs for this issue:

Affects: fedora-19 [bug 997127]
Comment 3 Vincent Danen 2013-08-14 13:59:30 EDT
Created python-django tracking bugs for this issue:

Affects: fedora-all [bug 997126]
Comment 4 Vincent Danen 2013-08-19 11:49:32 EDT
This issue didn't get a CVE name as of yet as it's being possibly considered as a hardening, rather than fixing a flaw.

http://www.openwall.com/lists/oss-security/2013/08/19/2
Comment 5 Matthias Runge 2013-09-06 06:15:23 EDT
all dependeing bugs were fixed, so closing.
Comment 6 Tomas Hoger 2013-09-06 08:42:40 EDT
Not to be closed yet.
Comment 7 Kurt Seifried 2014-05-30 00:40:20 EDT
Ratul filed this as 1016394 which we referenced in errata so closing this one.

*** This bug has been marked as a duplicate of bug 1016394 ***

Note You need to log in before you can comment on or make changes to this bug.