Opened 6 years ago
Closed 6 years ago
#29525 closed Cleanup/optimization (fixed)
Handle strings as allowed_hosts arguments to is_safe_url()
Reported by: | Przemysław Suliga | Owned by: | nobody |
---|---|---|---|
Component: | Utilities | Version: | dev |
Severity: | Normal | Keywords: | |
Cc: | Jon Dufresne | Triage Stage: | Accepted |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
is_safe_url()
expects a sequence of strings as its allowed_hosts
argument like this
>>> is_safe_url('http://example.com/abc', allowed_hosts={'example.com'}) True
When allowed_hosts
is passed in incorrectly as a string instead of as a sequence of strings like this
>>> is_safe_url('http://good.co/evil', allowed_hosts='good.com') True
is_safe_url()
will return True
for some cases which might be exploited.
Since is_safe_url()
is not Django's public API, I decided to not go via security@djangoproject.com
.
Proposed solution is in https://github.com/django/django/pull/10082
Change History (3)
comment:1 by , 6 years ago
Cc: | added |
---|---|
Triage Stage: | Unreviewed → Accepted |
comment:2 by , 6 years ago
Type checking is fine by me and helps avoid a potentially unsafe mistake. +1
Whether that type checking results in coercing (as done in the PR) or raises an exception, I have no strong opinion. Either is sufficient to prevent mistakes. I guess an exception is a bit more explicit, but, again, no strong opinion.
Jon, I'd like to hear your opinion on this. I suppose the function could at least do type checking to prevent that mistake.