Opened 2 months ago

Last modified 7 days ago

#36000 assigned Cleanup/optimization

Update default from http to https in urlize when protocol not provided

Reported by: Saravana Owned by: Saravana
Component: Template system Version: 5.1
Severity: Normal Keywords:
Cc: Saravana Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: yes UI/UX: no

Description (last modified by Sarah Boyce)

In django/utils/html.py, urlize there is:

url = smart_urlquote("http://%s" % html.unescape(middle))

When user input does not include a protocol it defaults to http (Insecure Protocol).

Example :
Considered a web app using urlize() for password reset email template

input = "Password reset link myapp.com/password/reset/{token}"

output:

"Password reset link <a href="http://myapp.com/password/reset/{token}"/>"

so when end user of myapp clicks it the url with token sent in http insecure protocol.
This behavior could potentially lead to man-in-the-middle attacks

Suggested Fix:
Default to HTTPS: If the URL doesn't specify a protocol, Django could default to https://

Change History (6)

comment:1 by Sarah Boyce, 2 months ago

Description: modified (diff)
Has patch: unset
Summary: Insecure URL Handling (HTTP Protocol Default) in urlizeUpdate default from http to https in urlize when protocol not provided
Triage Stage: UnreviewedAccepted

Thank you!
Note that the security team discussed this and agreed this can be handled publicly. This is similar to #34380.

comment:2 by Sarah Boyce, 2 months ago

Component: HTTP handlingTemplate system

comment:3 by Saravana, 2 months ago

Owner: set to Saravana
Status: newassigned

comment:4 by Adam Johnson, 5 weeks ago

I think we can use a plan similar to how #34380 shook out, with a plan like:

  1. Introduce a transitional setting (URLIZE_ASSUME_HTTPS) that defaults to False. This goes on the deprecation plan for removal in N+2 versions.
  2. When the responsible code path is hit (which should be fairly rare as it only applies to limited domains), check the setting. If it’s False, warn and use 'http', otherwise use 'https'.

comment:5 by Saravana, 2 weeks ago

Yeah sure,
i will work on that

comment:6 by IronJam, 7 days ago

I will be happy to work on this one if its available

Note: See TracTickets for help on using tickets.
Back to Top