Opened 3 months ago
Last modified 3 weeks ago
#36000 assigned Cleanup/optimization
Insecure URL Handling (HTTP Protocol Default) in urlize — at Initial Version
| Reported by: | Saravana | Owned by: | |
|---|---|---|---|
| Component: | Template system | Version: | 5.1 |
| Severity: | Normal | Keywords: | |
| Cc: | Saravana | Triage Stage: | Accepted |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | yes | UI/UX: | no |
| Pull Requests: | How to create a pull request | ||
Description ¶
Hi Team,
In django/utils/html.py ,Line no 347 ,Due to following code,
url = smart_urlquote("http://%s" % html.unescape(middle))
When user input does not include protocol it defaultly prefers http (Insecure Protocol).
Example :
Considered a web app using urlize() for password reset email template
input = Password reset link myapp.com/password/reset/{token}
output,
Password reset link <a href="http://myapp.com/password/reset/{token}"/>
so when end user of myapp clicks it the url with token sent in http insecure protocol.
This behavior could potentially lead to man-in-the-middle attacks
Suggested Fix:
Default to HTTPS: If the URL doesn't specify a protocol, Django could default to https://
According to the ticket's flags, the next step(s) to move this issue forward are:
- To provide a patch by sending a pull request. Claim the ticket when you start working so that someone else doesn't duplicate effort. Before sending a pull request, review your work against the patch review checklist. Check the "Has patch" flag on the ticket after sending a pull request and include a link to the pull request in the ticket comment when making that update. The usual format is:
[https://github.com/django/django/pull/#### PR].