Opened 7 months ago

Closed 7 months ago

Last modified 7 months ago

#28142 closed Bug (fixed)

is_safe_url() raises ValueError for invalid IPv6 URLs

Reported by: Michal Čihař Owned by: Uman Shahzad
Component: Utilities Version: 1.11
Severity: Normal Keywords:
Cc: emidanrko564@… Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: yes UI/UX: no

Description

The is_safe_url function can raise ValueError from _urlsplit. IMHO it should catch the error from parsing and return False in this case.

This can happen for example with next=http://168.192.0.1]

Traceback from 1.10, but it happens on 1.11 as well (and actually raises the ValueError even on the login page as it is now doing the validation).

File "/usr/lib/python2.7/dist-packages/django/contrib/auth/views.py" in inner
  47.         return func(*args, **kwargs)

File "/usr/lib/python2.7/dist-packages/django/views/decorators/debug.py" in sensitive_post_parameters_wrapper
  76.             return view(request, *args, **kwargs)

File "/usr/lib/python2.7/dist-packages/django/utils/decorators.py" in _wrapped_view
  149.                     response = view_func(request, *args, **kwargs)

File "/usr/lib/python2.7/dist-packages/django/views/decorators/cache.py" in _wrapped_view_func
  57.         response = view_func(request, *args, **kwargs)

File "/usr/lib/python2.7/dist-packages/django/contrib/auth/views.py" in login
  83.             return HttpResponseRedirect(_get_login_redirect_url(request, redirect_to))

File "/usr/lib/python2.7/dist-packages/django/contrib/auth/views.py" in _get_login_redirect_url
  53.     if not is_safe_url(url=redirect_to, host=request.get_host()):

File "/usr/lib/python2.7/dist-packages/django/utils/http.py" in is_safe_url
  309.     return _is_safe_url(url, host) and _is_safe_url(url.replace('\\', '/'), host)

File "/usr/lib/python2.7/dist-packages/django/utils/http.py" in _is_safe_url
  369.     url_info = _urlparse(url)

File "/usr/lib/python2.7/dist-packages/django/utils/http.py" in _urlparse
  321.     splitresult = _urlsplit(url, scheme, allow_fragments)

File "/usr/lib/python2.7/dist-packages/django/utils/http.py" in _urlsplit
  355.             raise ValueError("Invalid IPv6 URL")

Exception Type: ValueError at /accounts/login/
Exception Value: Invalid IPv6 URL

Change History (7)

comment:1 Changed 7 months ago by Tim Graham

Component: contrib.authUtilities
Easy pickings: set
Summary: Login ends up with ValueError with some next URLsis_safe_url() raises ValueError for invalid IPv6 URLs
Triage Stage: UnreviewedAccepted

comment:2 Changed 7 months ago by Uman Shahzad

Cc: emidanrko564@… added
Owner: changed from nobody to Uman Shahzad
Status: newassigned
Last edited 7 months ago by Tim Graham (previous) (diff)

comment:3 Changed 7 months ago by Uman Shahzad

Has patch: set
Needs documentation: set
Needs tests: set

comment:4 Changed 7 months ago by Uman Shahzad

Needs documentation: unset

comment:5 Changed 7 months ago by Uman Shahzad

Needs tests: unset

I think this commit matches the suggested requirement of the original poster.

comment:6 Changed 7 months ago by Tim Graham <timograham@…>

Resolution: fixed
Status: assignedclosed

In 856072dd:

Fixed #28142 -- Fixed is_safe_url() crash on invalid IPv6 URLs.

comment:7 Changed 7 months ago by Tim Graham <timograham@…>

In 03d0c05f:

[1.11.x] Fixed #28142 -- Fixed is_safe_url() crash on invalid IPv6 URLs.

Backport of 856072dd4a3e479aa09b0ab6b498ff599ca2a809 from master

Note: See TracTickets for help on using tickets.
Back to Top