Hi all,
Django provides a function `django.utils.is_safe_url()` to ensure that a given URL (absolute or relative) is safe to redirect to. I needed that functionality on another project that doesn't use Django at all. I thus built a standalone is-safe-url Python package that can be installed from PyPI and exposes exactly that functionality:
$ pip install is-safe-url
Collecting is-safe-url
Downloading
https://files.pythonhosted.org/packages/7a/c3 /40c363bc4c3d0ddcda3489239ba64752b8c18cb6493e058f8f1b73154925/is_safe_url-1.0-py3-none-any.whl
Installing collected packages: is-safe-url
Successfully installed is-safe-url-1.0
The code is available on GitLab:
https://gitlab.com/MarkusH/is_safe_url
I'd love to get some feedback on a couple of things:
- As Django is published under the BSD-3 clause license, the standalone package is published under the same license. I'd love some feedback if the package adheres to the required references and naming of the source.
- I added a note that security issues should be reported privately to the Django security team at
secu...@djangoproject.com or me personally (I'm a member of the security team and could forward the report accordingly). Are there suggestions how the statement in the README could be made more clear?
- The package is available for Python 2.7, 3.4, 3.5, 3.6, and 3.7. Should I keep 2.7 or drop it? I know some people are still on 2.7 and 2.7 is still supported for another 2 years.
- How would security releases work? When there's a security report against Django's built-in is_safe_url(), this package would need to be released as well.
- Jannis Leidel raised a valid concern about abandonment of this or similar packages (thanks!): "I'm mostly worried about abandonment of packages (from experience) that makes maintenance of sec infrastructure brittle." —
https://twitter.com/jezdez/status/1049955307558981634
I want to approach the latter concern about abandonment upfront. But I don't have a clear answer or solution to it yet.
- Would it be useful to have this package under the Django GitHub org?
- If so, should Django possibly depend on that package by itself? Given how often Django had security releases because of issues in `is_safe_url()` releasing a smaller package and not the full Django package could possibly be beneficial.
- Does somebody from the security team want or should be another maintainer?
Thanks for reading.
Markus