Red Hat Bugzilla – Bug 997121
python-django: potential XSS via is_safe_url
Last modified: 2016-04-26 12:24:16 EDT
Django 1.4.6 and 1.5.2 were released to correct the following security flaw:
A common pattern in Django applications is for a view to accept, via querystring parameter, a URL to redirect to upon successful completion of the view's processing. This pattern is used in code bundled with Django itself; for example, the login view in django.contrib.auth.views, which accepts such a parameter to determine where to send a user following successful login.
A utility function -- django.utils.http.is_safe_url() -- is provided and used to validate that this URL is on the current host (either via fully-qualified or relative URL), so as to avoid potentially dangerous redirects from maliciously-constructed querystrings.
To remedy this issue, the is_safe_url() function has been modified to properly recognize and reject URLs which specify a scheme other than HTTP or HTTPS.
The upstream patches are here:
Created Django14 tracking bugs for this issue:
Affects: epel-6 [bug 997128]
Created python-django14 tracking bugs for this issue:
Affects: fedora-19 [bug 997127]
Created python-django tracking bugs for this issue:
Affects: fedora-all [bug 997126]
This issue didn't get a CVE name as of yet as it's being possibly considered as a hardening, rather than fixing a flaw.
all dependeing bugs were fixed, so closing.
Not to be closed yet.
Ratul filed this as 1016394 which we referenced in errata so closing this one.
*** This bug has been marked as a duplicate of bug 1016394 ***