id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
27912	Open redirect on non-HTTP protocols: is_safe_url not validating properly	roks0n	Tim Graham	"For this to work, you have to first convert IPv4 (208.118.235.20) into a decimal IP (3497454356).

**GIVEN** I am given a link, e.g. https://example.com/admin/logout/?next=ftp:3497454356
**WHEN** I click on the link (in this case, if I'm logged in)
**THEN** I am redirected to ftp://208.118.235.20

Above also works for https://example.com/admin/login/?next=ftp:3497454356


{{{
In [1]: from django.utils.http import is_safe_url

In [2]: is_safe_url('http:999999999')
Out[2]: False
In [3]: is_safe_url('ftp:999999999')
Out[3]: True
In [4]: is_safe_url('ftp:999999999/test/')
Out[4]: False

In [5]: is_safe_url('ftp:9999999999', host='example.com')
Out[5]: True
In [6]: is_safe_url('http:9999999999', host='example.com')
Out[6]: False
In [7]: is_safe_url('https:9999999999', host='example.com')
Out[7]: True
}}}
"	Bug	closed	HTTP handling	dev	Normal	fixed			Accepted	0	0	0	0	0	0