[Django] #27912: Open redirect on non-HTTP protocols: is_safe_url not validating properly

11 views
Skip to first unread message

Django

unread,
Mar 8, 2017, 11:03:58 AM3/8/17
to django-...@googlegroups.com
#27912: Open redirect on non-HTTP protocols: is_safe_url not validating properly
-----------------------------------------+------------------------
Reporter: roks0n | Owner: nobody
Type: Bug | Status: new
Component: HTTP handling | Version: master
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-----------------------------------------+------------------------
For this to work, you have to first convert IPv4 (208.118.235.20) into a
decimal IP (3497454356).

**GIVEN** I am given a link, e.g.
https://example.com/admin/logout/?next=ftp:3497454356
**WHEN** I click on the link (in this case, if I'm logged in)
**THEN** I am redirected to ftp://208.118.235.20

Above also works for https://example.com/admin/login/?next=ftp:3497454356


{{{
In [1]: from django.utils.http import is_safe_url

In [2]: is_safe_url('http:999999999')
Out[2]: False
In [3]: is_safe_url('ftp:999999999')
Out[3]: True
In [4]: is_safe_url('ftp:999999999/test/')
Out[4]: False

In [5]: is_safe_url('ftp:9999999999', host='example.com')
Out[5]: True
In [6]: is_safe_url('http:9999999999', host='example.com')
Out[6]: False
In [7]: is_safe_url('https:9999999999', host='example.com')
Out[7]: True
}}}

--
Ticket URL: <https://code.djangoproject.com/ticket/27912>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

Django

unread,
Mar 8, 2017, 11:22:54 AM3/8/17
to django-...@googlegroups.com
#27912: Open redirect on non-HTTP protocols: is_safe_url not validating properly
-------------------------------+--------------------------------------
Reporter: roks0n | Owner: Tim Graham
Type: Bug | Status: assigned

Component: HTTP handling | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted

Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------+--------------------------------------
Changes (by Tim Graham):

* owner: nobody => Tim Graham
* status: new => assigned
* stage: Unreviewed => Accepted


--
Ticket URL: <https://code.djangoproject.com/ticket/27912#comment:1>

Django

unread,
Apr 4, 2017, 10:02:59 AM4/4/17
to django-...@googlegroups.com
#27912: Open redirect on non-HTTP protocols: is_safe_url not validating properly
-------------------------------+--------------------------------------
Reporter: roks0n | Owner: Tim Graham
Type: Bug | Status: closed

Component: HTTP handling | Version: master
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Accepted

Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------+--------------------------------------
Changes (by Tim Graham <timograham@…>):

* status: assigned => closed
* resolution: => fixed


Comment:

In [changeset:"8339277518c7d8ec280070a780915304654e3b66" 8339277]:
{{{
#!CommitTicketReference repository=""
revision="8339277518c7d8ec280070a780915304654e3b66"
[1.8.x] Fixed #27912, CVE-2017-7233 -- Fixed is_safe_url() with numeric
URLs.

This is a security fix.
}}}

--
Ticket URL: <https://code.djangoproject.com/ticket/27912#comment:2>

Django

unread,
Apr 4, 2017, 10:09:35 AM4/4/17
to django-...@googlegroups.com
#27912: Open redirect on non-HTTP protocols: is_safe_url not validating properly
-------------------------------+--------------------------------------
Reporter: roks0n | Owner: Tim Graham
Type: Bug | Status: closed
Component: HTTP handling | Version: master
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------+--------------------------------------

Comment (by Tim Graham <timograham@…>):

In [changeset:"254326cb3682389f55f886804d2c43f7b9f23e4f" 254326cb]:
{{{
#!CommitTicketReference repository=""
revision="254326cb3682389f55f886804d2c43f7b9f23e4f"
[1.9.x] Fixed #27912, CVE-2017-7233 -- Fixed is_safe_url() with numeric
URLs.

This is a security fix.
}}}

--
Ticket URL: <https://code.djangoproject.com/ticket/27912#comment:3>

Django

unread,
Apr 4, 2017, 10:18:20 AM4/4/17
to django-...@googlegroups.com
#27912: Open redirect on non-HTTP protocols: is_safe_url not validating properly
-------------------------------+--------------------------------------
Reporter: roks0n | Owner: Tim Graham
Type: Bug | Status: closed
Component: HTTP handling | Version: master
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------+--------------------------------------

Comment (by Tim Graham <timograham@…>):

In [changeset:"f824655bc2c50b19d2f202d7640785caabc82787" f824655b]:
{{{
#!CommitTicketReference repository=""
revision="f824655bc2c50b19d2f202d7640785caabc82787"
[1.10.x] Fixed #27912, CVE-2017-7233 -- Fixed is_safe_url() with numeric
URLs.

This is a security fix.
}}}

--
Ticket URL: <https://code.djangoproject.com/ticket/27912#comment:4>

Django

unread,
Apr 4, 2017, 10:45:01 AM4/4/17
to django-...@googlegroups.com
#27912: Open redirect on non-HTTP protocols: is_safe_url not validating properly
-------------------------------+--------------------------------------
Reporter: roks0n | Owner: Tim Graham
Type: Bug | Status: closed
Component: HTTP handling | Version: master
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------+--------------------------------------

Comment (by Tim Graham <timograham@…>):

In [changeset:"5ea48a70afac5e5684b504f09286e7defdd1a81a" 5ea48a70]:
{{{
#!CommitTicketReference repository=""
revision="5ea48a70afac5e5684b504f09286e7defdd1a81a"


Fixed #27912, CVE-2017-7233 -- Fixed is_safe_url() with numeric URLs.

This is a security fix.
}}}

--
Ticket URL: <https://code.djangoproject.com/ticket/27912#comment:5>

Django

unread,
Apr 4, 2017, 10:47:30 AM4/4/17
to django-...@googlegroups.com
#27912: Open redirect on non-HTTP protocols: is_safe_url not validating properly
-------------------------------+--------------------------------------
Reporter: roks0n | Owner: Tim Graham
Type: Bug | Status: closed
Component: HTTP handling | Version: master
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------+--------------------------------------

Comment (by Tim Graham <timograham@…>):

In [changeset:"97e77b7bc14eafda704a01881cb2a3dc164947bc" 97e77b7b]:
{{{
#!CommitTicketReference repository=""
revision="97e77b7bc14eafda704a01881cb2a3dc164947bc"
[1.11.x] Fixed #27912, CVE-2017-7233 -- Fixed is_safe_url() with numeric
URLs.

This is a security fix.
}}}

--
Ticket URL: <https://code.djangoproject.com/ticket/27912#comment:6>

Reply all
Reply to author
Forward
0 new messages