#28142 closed Bug (fixed)
is_safe_url() raises ValueError for invalid IPv6 URLs
| Reported by: | Michal Čihař | Owned by: | Uman Shahzad |
|---|---|---|---|
| Component: | Utilities | Version: | 1.11 |
| Severity: | Normal | Keywords: | |
| Cc: | emidanrko564@… | Triage Stage: | Accepted |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | yes | UI/UX: | no |
Description
The is_safe_url function can raise ValueError from _urlsplit. IMHO it should catch the error from parsing and return False in this case.
This can happen for example with next=http://168.192.0.1]
Traceback from 1.10, but it happens on 1.11 as well (and actually raises the ValueError even on the login page as it is now doing the validation).
File "/usr/lib/python2.7/dist-packages/django/contrib/auth/views.py" in inner
47. return func(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/django/views/decorators/debug.py" in sensitive_post_parameters_wrapper
76. return view(request, *args, **kwargs)
File "/usr/lib/python2.7/dist-packages/django/utils/decorators.py" in _wrapped_view
149. response = view_func(request, *args, **kwargs)
File "/usr/lib/python2.7/dist-packages/django/views/decorators/cache.py" in _wrapped_view_func
57. response = view_func(request, *args, **kwargs)
File "/usr/lib/python2.7/dist-packages/django/contrib/auth/views.py" in login
83. return HttpResponseRedirect(_get_login_redirect_url(request, redirect_to))
File "/usr/lib/python2.7/dist-packages/django/contrib/auth/views.py" in _get_login_redirect_url
53. if not is_safe_url(url=redirect_to, host=request.get_host()):
File "/usr/lib/python2.7/dist-packages/django/utils/http.py" in is_safe_url
309. return _is_safe_url(url, host) and _is_safe_url(url.replace('\\', '/'), host)
File "/usr/lib/python2.7/dist-packages/django/utils/http.py" in _is_safe_url
369. url_info = _urlparse(url)
File "/usr/lib/python2.7/dist-packages/django/utils/http.py" in _urlparse
321. splitresult = _urlsplit(url, scheme, allow_fragments)
File "/usr/lib/python2.7/dist-packages/django/utils/http.py" in _urlsplit
355. raise ValueError("Invalid IPv6 URL")
Exception Type: ValueError at /accounts/login/
Exception Value: Invalid IPv6 URL
Change History (7)
comment:1 by , 9 years ago
| Component: | contrib.auth → Utilities |
|---|---|
| Easy pickings: | set |
| Summary: | Login ends up with ValueError with some next URLs → is_safe_url() raises ValueError for invalid IPv6 URLs |
| Triage Stage: | Unreviewed → Accepted |
comment:2 by , 9 years ago
| Cc: | added |
|---|---|
| Owner: | changed from to |
| Status: | new → assigned |
Version 0, edited 9 years ago by (next)
comment:3 by , 9 years ago
| Has patch: | set |
|---|---|
| Needs documentation: | set |
| Needs tests: | set |
comment:4 by , 9 years ago
| Needs documentation: | unset |
|---|
comment:5 by , 9 years ago
| Needs tests: | unset |
|---|
I think this commit matches the suggested requirement of the original poster.
Note:
See TracTickets
for help on using tickets.
Will begin work on it at https://github.com/UmanShahzad/django/tree/ticket_28142