Ticket #13751: openredirect-with-docs.diff

django/conf/global_settings.py

@@ -521 +521 @@
 
 # The list of directories to search for fixtures
 FIXTURE_DIRS = ()
+
+#Default url to redirect to to avoid Open Redirect issues. See: #13751
+REDIRECT_FAILURE_URL = "/"

django/http/__init__.py

@@ -3 +3 @@
 from Cookie import BaseCookie, SimpleCookie, CookieError
 from pprint import pformat
 from urllib import urlencode
-from urlparse import urljoin
+from urlparse import urljoin, urlparse
+import logging
 try:
     # The mod_python version is more efficient, so try importing it first.
     from mod_python.util import parse_qsl
@@ -432 +433 @@
 class HttpResponseRedirect(HttpResponse):
     status_code = 302
 
-    def __init__(self, redirect_to):
+    def __init__(self, redirect_to, whitelist=[], fallback_to=None):
         HttpResponse.__init__(self)
         self['Location'] = iri_to_uri(redirect_to)
+        
+        if urlparse(self['Location']).scheme:
+            effective_whitelist = whitelist + getattr(settings, 'REDIRECT_WHITELIST', [])
+
+            matched = False
+
+            for pattern in effective_whitelist:
+                matched = re.compile(pattern).match(self['Location'])
+
+                if matched:
+                    break
+
+            if not matched:
+                logging.warn("Found open redirect attack to %s", self['Location'])
+
+                self['Location'] = fallback_to or settings.REDIRECT_FAILURE_URL
 
 class HttpResponsePermanentRedirect(HttpResponse):
     status_code = 301

docs/ref/request-response.txt

@@ -561 +561 @@
 
 .. class:: HttpResponseRedirect
 
-    The constructor takes a single argument -- the path to redirect to. This
+    The constructor takes a single required argument -- the path to redirect to. This
     can be a fully qualified URL (e.g. ``'http://www.yahoo.com/search/'``) or an
-    absolute URL with no domain (e.g. ``'/search/'``). Note that this returns
-    an HTTP status code 302.
+    absolute URL with no domain (e.g. ``'/search/'``).
+    
+    Two optional parameters are ``whitelist`` and ``fallback_to``
+    that are used to avoid the Open Redirect security issue. (see: http://www.google.com/support/webmasters/bin/answer.py?answer=171297 )
+    The ``whitelist`` param is a list of regular expressions for whitelisted urls.
+    A whitelist can also be defined in the :setting:`REDIRECT_WHITELIST` setting.
+    Additionally, the ``fallback_to`` param is an optional URL to fallback to if
+    none of the ``whitelist`` patterns match. You can also set the :setting:REDIRECT_FAILURE_URL
+    setting to specify your own default fallback. By default this is set to "/".
+    
+    Note that this returns an HTTP status code 302. 
 
 .. class:: HttpResponsePermanentRedirect
 

tests/regressiontests/httpwrappers/tests.py

@@ -1 +1 @@
 import copy
 import pickle
 import unittest
-from django.http import QueryDict, HttpResponse, CompatCookie, BadHeaderError
+from django.http import QueryDict, HttpResponse, CompatCookie, BadHeaderError,\
+    HttpResponseRedirect
+from django.conf import settings
+
 
 class QueryDictTests(unittest.TestCase):
     def test_missing_key(self):
@@ -254 +257 @@
         c2 = CompatCookie()
         c2.load(c.output())
         self.assertEqual(c['test'].value, c2['test'].value)
+
+
+class HttpResponseRedirectTests(unittest.TestCase):
+    def test_open_redirect(self):
+        self.assertEqual('/test', HttpResponseRedirect('/test')['Location'])
+        self.assertEqual(settings.REDIRECT_FAILURE_URL, HttpResponseRedirect('http://djangoproject.com')['Location'])
+
+        r = HttpResponseRedirect('http://djangoproject.com', whitelist=[r'.*'])
+        self.assertEqual('http://djangoproject.com', r['Location'])
+
+        setattr(settings, 'REDIRECT_WHITELIST', [r'.*'])
+        self.assertEqual('http://djangoproject.com', HttpResponseRedirect('http://djangoproject.com')['Location'])