Opened 7 years ago

Closed 6 years ago

#29525 closed Cleanup/optimization (fixed)

Handle strings as allowed_hosts arguments to is_safe_url()

Reported by: Przemysław Suliga Owned by: nobody
Component: Utilities Version: dev
Severity: Normal Keywords:
Cc: Jon Dufresne Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

is_safe_url() expects a sequence of strings as its allowed_hosts argument like this

>>> is_safe_url('http://example.com/abc', allowed_hosts={'example.com'})
True

When allowed_hosts is passed in incorrectly as a string instead of as a sequence of strings like this

>>> is_safe_url('http://good.co/evil', allowed_hosts='good.com')
True

is_safe_url() will return True for some cases which might be exploited.

Since is_safe_url() is not Django's public API, I decided to not go via security@djangoproject.com.

Proposed solution is in https://github.com/django/django/pull/10082

Change History (3)

comment:1 by Tim Graham, 6 years ago

Cc: Jon Dufresne added
Triage Stage: UnreviewedAccepted

Jon, I'd like to hear your opinion on this. I suppose the function could at least do type checking to prevent that mistake.

comment:2 by Jon Dufresne, 6 years ago

Type checking is fine by me and helps avoid a potentially unsafe mistake. +1

Whether that type checking results in coercing (as done in the PR) or raises an exception, I have no strong opinion. Either is sufficient to prevent mistakes. I guess an exception is a bit more explicit, but, again, no strong opinion.

comment:3 by Tim Graham <timograham@…>, 6 years ago

Resolution: fixed
Status: newclosed

In d22b90b4:

Fixed #29525 -- Allowed is_safe_url()'s allowed_hosts arg to be a string.

Note: See TracTickets for help on using tickets.
Back to Top