Re: [Django] #13751: Avoid open redirect issue with whitelist

Django

unread,

May 22, 2011, 8:44:46 PM5/22/11

to django-...@googlegroups.com

#13751: Avoid open redirect issue with whitelist
-------------------------------------+-------------------------------------
Reporter: anonymous | Owner: nobody
Type: New | Status: new
feature | Component: HTTP handling
Milestone: 1.3 | Severity: Normal
Version: SVN | Keywords: open redirect,
Resolution: | security
Triage Stage: Accepted | Has patch: 1
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 1 | Easy pickings: 0
-------------------------------------+-------------------------------------
Changes (by davidfischer):

* cc: djfische@… (added)
* easy: => 0

--
Ticket URL: <https://code.djangoproject.com/ticket/13751#comment:12>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

Django

unread,

Jan 5, 2013, 11:08:01 AM1/5/13

to django-...@googlegroups.com

#13751: Avoid open redirect issue with whitelist
-------------------------------------+-------------------------------------
Reporter: anonymous | Owner: nobody

Comment (by claudep):

Even if we don't cover all use cases of this ticket, I think that progress
has been made with commit [a2f2a399566dd68ce] (#18856).

I think we should now better document:
* Add `is_safe_url` in docs/ref/utils
* Add a note in `HttpResponseRedirect` docs that if the path parameter
comes from user input, it should be passed first to `is_safe_url` to make
sure that the redirection is not going to an unwanted location.

Django

unread,

Mar 18, 2013, 7:51:04 AM3/18/13

to django-...@googlegroups.com

#13751: Avoid open redirect issue with whitelist
-------------------------------------+-------------------------------------
Reporter: anonymous | Owner: nobody
Type: New feature | Status: new
Component: HTTP handling | Version: master
Severity: Normal | Resolution:
Keywords: open redirect, | Triage Stage: Accepted
security | Needs documentation: 0
Has patch: 1 | Patch needs improvement: 1
Needs tests: 0 | UI/UX: 0
Easy pickings: 0 |
-------------------------------------+-------------------------------------

Comment (by aaugustin):

#19992 was a duplicate.

--
Ticket URL: <https://code.djangoproject.com/ticket/13751#comment:13>

Django

unread,

Jun 5, 2015, 5:51:26 AM6/5/15

to django-...@googlegroups.com

#13751: Avoid open redirect issue with whitelist
-------------------------------------+-------------------------------------
Reporter: anonymous | Owner:

| marcaurele
Type: New feature | Status: assigned

Component: HTTP handling | Version: master
Severity: Normal | Resolution:
Keywords: open redirect, | Triage Stage: Accepted
security |

Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1

Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by marcaurele):

* owner: nobody => marcaurele
* status: new => assigned

--
Ticket URL: <https://code.djangoproject.com/ticket/13751#comment:14>

Django

unread,

Jun 5, 2015, 9:21:47 AM6/5/15

to django-...@googlegroups.com

#13751: Avoid open redirect issue with whitelist
-------------------------------------+-------------------------------------
Reporter: anonymous | Owner:
| marcaurele
Type: New feature | Status: assigned
Component: HTTP handling | Version: master
Severity: Normal | Resolution:
Keywords: open redirect, | Triage Stage: Accepted
security |
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Comment (by marcaurele):

Added a new settings REDIRECT_WHITELIST_URLS to allow a list of urls for
redirection outside the application host. The match is done in
utils.http.is_safe_url(). All tests passed, and the new setting has been
documented.

https://github.com/marcaurele/django/tree/ticket_13751

--
Ticket URL: <https://code.djangoproject.com/ticket/13751#comment:15>

Django

unread,

Jun 5, 2015, 9:27:21 AM6/5/15

to django-...@googlegroups.com

Needs tests: 0 | Patch needs improvement: 0

Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Changes (by timgraham):

* needs_better_patch: 1 => 0

--
Ticket URL: <https://code.djangoproject.com/ticket/13751#comment:16>

Django

unread,

Jun 5, 2015, 9:44:23 AM6/5/15

to django-...@googlegroups.com

#13751: Avoid open redirect issue with whitelist
-------------------------------------+-------------------------------------
Reporter: anonymous | Owner:
| marcaurele
Type: New feature | Status: assigned
Component: HTTP handling | Version: master
Severity: Normal | Resolution:
Keywords: open redirect, | Triage Stage: Accepted
security |
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Comment (by apollo13):

I am for wontfixing, I do not see a good usecase for this now that we have
ALLOWED_HOSTS already. Russ, since you initially accepted it: what are
your thoughts on that?

--
Ticket URL: <https://code.djangoproject.com/ticket/13751#comment:17>

Django

unread,

Jun 5, 2015, 10:00:43 AM6/5/15

to django-...@googlegroups.com

#13751: Avoid open redirect issue with whitelist
-------------------------------------+-------------------------------------
Reporter: anonymous | Owner:
| marcaurele
Type: New feature | Status: assigned
Component: HTTP handling | Version: master
Severity: Normal | Resolution:
Keywords: open redirect, | Triage Stage: Accepted
security |
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Comment (by ubernostrum):

I feel like there are some tricky issues here, especially with the example
given in the documentation -- the part where if a URL in
REDIRECT_WHITELIST_URLS is a prefix of the URL being redirected to
especially scares me, because it creates the possibility of breaking out
of this feature by finding an open redirect on *that* host.

--
Ticket URL: <https://code.djangoproject.com/ticket/13751#comment:18>

Django

unread,

Jun 17, 2015, 12:09:00 AM6/17/15

to django-...@googlegroups.com

#13751: Avoid open redirect issue with whitelist
-------------------------------------+-------------------------------------
Reporter: anonymous | Owner:
| marcaurele
Type: New feature | Status: assigned
Component: HTTP handling | Version: master
Severity: Normal | Resolution:
Keywords: open redirect, | Triage Stage: Accepted
security |
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Comment (by marcaurele):

After another thought on that fix, I must say that I share apollo13 point
of view and don't see a good use case. I'm for a wontfixing.

--
Ticket URL: <https://code.djangoproject.com/ticket/13751#comment:19>

Django

unread,

Jun 17, 2015, 12:10:01 AM6/17/15

to django-...@googlegroups.com

#13751: Avoid open redirect issue with whitelist
-------------------------------------+-------------------------------------
Reporter: anonymous | Owner:

Type: New feature | Status: new

Changes (by marcaurele):

* owner: marcaurele =>
* status: assigned => new

--
Ticket URL: <https://code.djangoproject.com/ticket/13751#comment:20>

Django

unread,

Jun 17, 2015, 3:25:03 PM6/17/15

to django-...@googlegroups.com

#13751: Avoid open redirect issue with whitelist
-------------------------------------+-------------------------------------
Reporter: anonymous | Owner:

Type: New feature | Status: closed

Component: HTTP handling | Version: master

Severity: Normal | Resolution: wontfix