Opened 6 years ago
Closed 6 years ago
#29525 closed Cleanup/optimization (fixed)
Handle strings as allowed_hosts arguments to is_safe_url()
| Reported by: | Przemysław Suliga | Owned by: | nobody |
|---|---|---|---|
| Component: | Utilities | Version: | dev |
| Severity: | Normal | Keywords: | |
| Cc: | Jon Dufresne | Triage Stage: | Accepted |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
is_safe_url() expects a sequence of strings as its allowed_hosts argument like this
>>> is_safe_url('http://example.com/abc', allowed_hosts={'example.com'})
True
When allowed_hosts is passed in incorrectly as a string instead of as a sequence of strings like this
>>> is_safe_url('http://good.co/evil', allowed_hosts='good.com')
True
is_safe_url() will return True for some cases which might be exploited.
Since is_safe_url() is not Django's public API, I decided to not go via security@djangoproject.com.
Proposed solution is in https://github.com/django/django/pull/10082
Change History (3)
comment:1 by , 6 years ago
| Cc: | added |
|---|---|
| Triage Stage: | Unreviewed → Accepted |
comment:2 by , 6 years ago
Type checking is fine by me and helps avoid a potentially unsafe mistake. +1
Whether that type checking results in coercing (as done in the PR) or raises an exception, I have no strong opinion. Either is sufficient to prevent mistakes. I guess an exception is a bit more explicit, but, again, no strong opinion.
Jon, I'd like to hear your opinion on this. I suppose the function could at least do type checking to prevent that mistake.