#27912 closed Bug (fixed)
Open redirect on non-HTTP protocols: is_safe_url not validating properly
| Reported by: | roks0n | Owned by: | Tim Graham |
|---|---|---|---|
| Component: | HTTP handling | Version: | dev |
| Severity: | Normal | Keywords: | |
| Cc: | Triage Stage: | Accepted | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
For this to work, you have to first convert IPv4 (208.118.235.20) into a decimal IP (3497454356).
GIVEN I am given a link, e.g. https://example.com/admin/logout/?next=ftp:3497454356
WHEN I click on the link (in this case, if I'm logged in)
THEN I am redirected to ftp://208.118.235.20
Above also works for https://example.com/admin/login/?next=ftp:3497454356
In [1]: from django.utils.http import is_safe_url
In [2]: is_safe_url('http:999999999')
Out[2]: False
In [3]: is_safe_url('ftp:999999999')
Out[3]: True
In [4]: is_safe_url('ftp:999999999/test/')
Out[4]: False
In [5]: is_safe_url('ftp:9999999999', host='example.com')
Out[5]: True
In [6]: is_safe_url('http:9999999999', host='example.com')
Out[6]: False
In [7]: is_safe_url('https:9999999999', host='example.com')
Out[7]: True
Change History (6)
comment:1 by , 7 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
| Triage Stage: | Unreviewed → Accepted |
comment:2 by , 7 years ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
Note:
See TracTickets
for help on using tickets.
In 8339277: