Opened 10 years ago

Closed 10 years ago

Last modified 10 years ago

#23602 closed Uncategorized (fixed)

Document that get_absolute_url should not return a link/url made from user input

Reported by: Markus Holtermann Owned by: Markus Holtermann
Component: Documentation Version: dev
Severity: Normal Keywords:
Cc: Markus Holtermann Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

The docs for get_absolute_url() should clearly state that returning something completely made from user input is a bad idea and may lead to link or redirect poisoning.

https://docs.djangoproject.com/en/1.7/ref/models/instances/#get-absolute-url

Change History (7)

comment:1 by Markus Holtermann, 10 years ago

Has patch: set
Status: newassigned

comment:2 by Collin Anderson, 10 years ago

Do you have an example?

comment:3 by Markus Holtermann, 10 years ago

Summary: Document that get_absolute_url should return a link/url made from user inputDocument that get_absolute_url should not return a link/url made from user input

Oops, missed a "not" in the subject.

comment:4 by Michael Manfre, 10 years ago

Triage Stage: UnreviewedAccepted

comment:5 by Markus Holtermann <info@…>, 10 years ago

Resolution: fixed
Status: assignedclosed

In 04bd84786d39b8a17620dfb3b354599d8d95417b:

Fixed #23602 -- Add comment on get_absolute_url regarding user input

comment:6 by Carl Meyer <carl@…>, 10 years ago

In 844ba211ceea11ad2aa81f6a55c518228dd33a53:

Merge pull request #3307 from Markush2010/ticket23602

Fixed #23602 -- Add comment on get_absolute_url regarding user input

comment:7 by Carl Meyer <carl@…>, 10 years ago

In b3569b3a825e82d25ffadf49f436c13f30a205f8:

[1.7.X] Fixed #23602 -- Add comment on get_absolute_url regarding user input

Backport of 04bd84786d39b8a17620dfb3b354599d8d95417b from master.

Note: See TracTickets for help on using tickets.
Back to Top