**GIVEN** I am given a link, e.g.
https://example.com/admin/logout/?next=ftp:3497454356
**WHEN** I click on the link (in this case, if I'm logged in)
**THEN** I am redirected to ftp://208.118.235.20
Above also works for https://example.com/admin/login/?next=ftp:3497454356
{{{
In [1]: from django.utils.http import is_safe_url
In [2]: is_safe_url('http:999999999')
Out[2]: False
In [3]: is_safe_url('ftp:999999999')
Out[3]: True
In [4]: is_safe_url('ftp:999999999/test/')
Out[4]: False
In [5]: is_safe_url('ftp:9999999999', host='example.com')
Out[5]: True
In [6]: is_safe_url('http:9999999999', host='example.com')
Out[6]: False
In [7]: is_safe_url('https:9999999999', host='example.com')
Out[7]: True
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/27912>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
* owner: nobody => Tim Graham
* status: new => assigned
* stage: Unreviewed => Accepted
--
Ticket URL: <https://code.djangoproject.com/ticket/27912#comment:1>
* status: assigned => closed
* resolution: => fixed
Comment:
In [changeset:"8339277518c7d8ec280070a780915304654e3b66" 8339277]:
{{{
#!CommitTicketReference repository=""
revision="8339277518c7d8ec280070a780915304654e3b66"
[1.8.x] Fixed #27912, CVE-2017-7233 -- Fixed is_safe_url() with numeric
URLs.
This is a security fix.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/27912#comment:2>
Comment (by Tim Graham <timograham@…>):
In [changeset:"254326cb3682389f55f886804d2c43f7b9f23e4f" 254326cb]:
{{{
#!CommitTicketReference repository=""
revision="254326cb3682389f55f886804d2c43f7b9f23e4f"
[1.9.x] Fixed #27912, CVE-2017-7233 -- Fixed is_safe_url() with numeric
URLs.
This is a security fix.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/27912#comment:3>
Comment (by Tim Graham <timograham@…>):
In [changeset:"f824655bc2c50b19d2f202d7640785caabc82787" f824655b]:
{{{
#!CommitTicketReference repository=""
revision="f824655bc2c50b19d2f202d7640785caabc82787"
[1.10.x] Fixed #27912, CVE-2017-7233 -- Fixed is_safe_url() with numeric
URLs.
This is a security fix.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/27912#comment:4>
Comment (by Tim Graham <timograham@…>):
In [changeset:"5ea48a70afac5e5684b504f09286e7defdd1a81a" 5ea48a70]:
{{{
#!CommitTicketReference repository=""
revision="5ea48a70afac5e5684b504f09286e7defdd1a81a"
Fixed #27912, CVE-2017-7233 -- Fixed is_safe_url() with numeric URLs.
This is a security fix.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/27912#comment:5>
Comment (by Tim Graham <timograham@…>):
In [changeset:"97e77b7bc14eafda704a01881cb2a3dc164947bc" 97e77b7b]:
{{{
#!CommitTicketReference repository=""
revision="97e77b7bc14eafda704a01881cb2a3dc164947bc"
[1.11.x] Fixed #27912, CVE-2017-7233 -- Fixed is_safe_url() with numeric
URLs.
This is a security fix.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/27912#comment:6>