#26902 closed New feature (fixed)
Add `secure` argument to `is_safe_url()`
Reported by: | Przemysław Suliga | Owned by: | nobody |
---|---|---|---|
Component: | Utilities | Version: | dev |
Severity: | Normal | Keywords: | |
Cc: | berker.peksag@… | Triage Stage: | Ready for checkin |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
django.utils.http.is_safe_url()
considers any HTTP and HTTPS url safe as long as its hostname matches the host
argument. Currently this is true: is_safe_url('http://example.com', host='example.com')
.
Let's add a secure
argument to is_safe_url()
so that when it's True
, only HTTPS is considered as a safe scheme.
The existence of that argument alone would make users aware of potential issues that can arise from ignoring it. For example if a developer uses is_safe_url()
to validate user supplied urls for redirection to a target with appended secrets as url query params.
django.contrib.admin
uses django.contrib.auth
login view where is_safe_url()
is used to validate the next
query param. This scenario is currently possible:
- user goes to https://example.net/admin/login/?next=http://example.net/admin/foo
- they enter their credentials and POST to the above url
- They're successfully authenticated, they receive a response with a new session cookie and are redirected to http://example.net/admin/foo
Of course our HTTPS site should only set Secure
session cookies and use HSTS, so there should be no possibility of the the cookie being sent by the user via HTTP. But if the site doesn't set secure cookies and doesn't use HSTS, this is a problem. If the site doesn't use secure cookies in the first place, then the secure
param to is_safe_url()
won't help much.. but I would argue it still makes the validation more "complete".
Change History (5)
comment:1 by , 8 years ago
Triage Stage: | Unreviewed → Accepted |
---|
comment:2 by , 8 years ago
Cc: | added |
---|---|
Triage Stage: | Accepted → Ready for checkin |
PR #6923 looks good to me. I just left two minor comments about the PR.