[Django] #36000: Insecure URL Handling (HTTP Protocol Default) in urlize
4 views
Skip to first unread message
Django
Dec 11, 2024, 11:01:37 AM12/11/24
to django-...@googlegroups.com
#36000: Insecure URL Handling (HTTP Protocol Default) in urlize
-------------------------------------+-------------------------------------
Reporter: saravana-hackz | Type:
| Cleanup/optimization
Status: new | Component: HTTP
| handling
Version: 5.1 | Severity: Normal
Keywords: | Triage Stage:
| Unreviewed
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
-------------------------------------+-------------------------------------
Hi Team,
In django/utils/html.py ,Line no 347 ,Due to following code,
url = smart_urlquote("http://%s" % html.unescape(middle))
When user input does not include protocol it defaultly prefers http
(Insecure Protocol).
Example :
Considered a web app using urlize() for password reset email template
input = Password reset link myapp.com/password/reset/{token}
output,
Password reset link <a href="http://myapp.com/password/reset/{token}"/>
so when end user of myapp clicks it the url with token sent in http
insecure protocol.
This behavior could potentially lead to man-in-the-middle attacks
Suggested Fix:
Default to HTTPS: If the URL doesn't specify a protocol, Django could
default to https://
--
Ticket URL: <https://code.djangoproject.com/ticket/36000>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
-------------------------------------+-------------------------------------
Reporter: saravana-hackz | Type:
| Cleanup/optimization
Status: new | Component: HTTP
| handling
Version: 5.1 | Severity: Normal
Keywords: | Triage Stage:
| Unreviewed
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
-------------------------------------+-------------------------------------
Hi Team,
In django/utils/html.py ,Line no 347 ,Due to following code,
url = smart_urlquote("http://%s" % html.unescape(middle))
When user input does not include protocol it defaultly prefers http
(Insecure Protocol).
Example :
Considered a web app using urlize() for password reset email template
input = Password reset link myapp.com/password/reset/{token}
output,
Password reset link <a href="http://myapp.com/password/reset/{token}"/>
so when end user of myapp clicks it the url with token sent in http
insecure protocol.
This behavior could potentially lead to man-in-the-middle attacks
Suggested Fix:
Default to HTTPS: If the URL doesn't specify a protocol, Django could
default to https://
--
Ticket URL: <https://code.djangoproject.com/ticket/36000>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Reply all
Reply to author
Forward
0 new messages