Re: [Django] #36000: Update default from http to https in urlize when protocol not provided (was: Insecure URL Handling (HTTP Protocol Default) in urlize)
2 views
Skip to first unread message
Django
Dec 11, 2024, 11:54:09 AM12/11/24
to django-...@googlegroups.com
#36000: Update default from http to https in urlize when protocol not provided
--------------------------------------+------------------------------------
Reporter: saravana-hackz | Owner: (none)
Type: Cleanup/optimization | Status: new
Component: HTTP handling | Version: 5.1
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
--------------------------------------+------------------------------------
Changes (by Sarah Boyce):
* has_patch: 1 => 0
* stage: Unreviewed => Accepted
* summary: Insecure URL Handling (HTTP Protocol Default) in urlize =>
Update default from http to https in urlize when protocol not provided
Old description:
> Hi Team,
> In django/utils/html.py ,Line no 347 ,Due to following code,
> url = smart_urlquote("http://%s" % html.unescape(middle))
>
> When user input does not include protocol it defaultly prefers http
> (Insecure Protocol).
> Example :
> Considered a web app using urlize() for password reset email template
> input = Password reset link myapp.com/password/reset/{token}
> output,
> Password reset link <a href="http://myapp.com/password/reset/{token}"/>
> so when end user of myapp clicks it the url with token sent in http
> insecure protocol.
>
> This behavior could potentially lead to man-in-the-middle attacks
>
> Suggested Fix:
> Default to HTTPS: If the URL doesn't specify a protocol, Django could
> default to https://
New description:
In `django/utils/html.py`, `urlize` there is:
{{{
url = smart_urlquote("http://%s" % html.unescape(middle))
}}}
When user input does not include a protocol it defaults to http (Insecure
Protocol).
Example :
Considered a web app using `urlize()` for password reset email template
{{{
input = "Password reset link myapp.com/password/reset/{token}"
}}}
output:
{{{
"Password reset link <a href="http://myapp.com/password/reset/{token}"/>"
}}}
so when end user of myapp clicks it the url with token sent in http
insecure protocol.
This behavior could potentially lead to man-in-the-middle attacks
Suggested Fix:
Default to HTTPS: If the URL doesn't specify a protocol, Django could
default to https://
--
Comment:
Thank you!
Note that the security team discussed this and agreed this can be handled
publicly. This is similar to #34380.
--
Ticket URL: <https://code.djangoproject.com/ticket/36000#comment:1>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--------------------------------------+------------------------------------
Reporter: saravana-hackz | Owner: (none)
Type: Cleanup/optimization | Status: new
Component: HTTP handling | Version: 5.1
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
--------------------------------------+------------------------------------
Changes (by Sarah Boyce):
* has_patch: 1 => 0
* stage: Unreviewed => Accepted
* summary: Insecure URL Handling (HTTP Protocol Default) in urlize =>
Update default from http to https in urlize when protocol not provided
Old description:
> Hi Team,
> In django/utils/html.py ,Line no 347 ,Due to following code,
> url = smart_urlquote("http://%s" % html.unescape(middle))
>
> When user input does not include protocol it defaultly prefers http
> (Insecure Protocol).
> Example :
> Considered a web app using urlize() for password reset email template
> input = Password reset link myapp.com/password/reset/{token}
> output,
> Password reset link <a href="http://myapp.com/password/reset/{token}"/>
> so when end user of myapp clicks it the url with token sent in http
> insecure protocol.
>
> This behavior could potentially lead to man-in-the-middle attacks
>
> Suggested Fix:
> Default to HTTPS: If the URL doesn't specify a protocol, Django could
> default to https://
New description:
In `django/utils/html.py`, `urlize` there is:
{{{
url = smart_urlquote("http://%s" % html.unescape(middle))
}}}
When user input does not include a protocol it defaults to http (Insecure
Protocol).
Example :
Considered a web app using `urlize()` for password reset email template
{{{
input = "Password reset link myapp.com/password/reset/{token}"
}}}
output:
{{{
"Password reset link <a href="http://myapp.com/password/reset/{token}"/>"
}}}
so when end user of myapp clicks it the url with token sent in http
insecure protocol.
This behavior could potentially lead to man-in-the-middle attacks
Suggested Fix:
Default to HTTPS: If the URL doesn't specify a protocol, Django could
default to https://
--
Comment:
Thank you!
Note that the security team discussed this and agreed this can be handled
publicly. This is similar to #34380.
--
Ticket URL: <https://code.djangoproject.com/ticket/36000#comment:1>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Reply all
Reply to author
Forward
0 new messages