mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-10-31 09:41:08 +00:00
Code Issues 32 Releases Wiki Activity

Prevented reverse() from generating URLs pointing to other hosts.

Browse Source 
This is a security fix. Disclosure following shortly.
This commit is contained in:
Florian Apolloner
2014-07-17 21:59:28 +02:00
committed by Tim Graham
parent ec71191be0
commit 28e765810d
6 changed files with 50 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
docs/releases/1.4.14.txt
View File

@@ -5,3 +5,16 @@ Django 1.4.14 release notes
*Under development*
Django 1.4.14 fixes several security issues in 1.4.13.
:func:`~django.core.urlresolvers.reverse()` could generate URLs pointing to other hosts
=======================================================================================
In certain situations, URL reversing could generate scheme-relative URLs (URLs
starting with two slashes), which could unexpectedly redirect a user to a
different host. An attacker could exploit this, for example, by redirecting
users to a phishing site designed to ask for user's passwords.
To remedy this, URL reversing now ensures that no URL starts with two slashes
(//), replacing the second slash with its URL encoded counterpart (%2F). This
approach ensures that semantics stay the same, while making the URL relative to
the domain and not to the scheme.

13
docs/releases/1.5.9.txt
View File

@@ -5,3 +5,16 @@ Django 1.5.9 release notes
*Under development*
Django 1.5.9 fixes several security issues in 1.5.8.
:func:`~django.core.urlresolvers.reverse()` could generate URLs pointing to other hosts
=======================================================================================
In certain situations, URL reversing could generate scheme-relative URLs (URLs
starting with two slashes), which could unexpectedly redirect a user to a
different host. An attacker could exploit this, for example, by redirecting
users to a phishing site designed to ask for user's passwords.
To remedy this, URL reversing now ensures that no URL starts with two slashes
(//), replacing the second slash with its URL encoded counterpart (%2F). This
approach ensures that semantics stay the same, while making the URL relative to
the domain and not to the scheme.

13
docs/releases/1.6.6.txt
View File

@@ -6,6 +6,19 @@ Django 1.6.6 release notes
Django 1.6.6 fixes several security issues and bugs in 1.6.5.
:func:`~django.core.urlresolvers.reverse()` could generate URLs pointing to other hosts
=======================================================================================
In certain situations, URL reversing could generate scheme-relative URLs (URLs
starting with two slashes), which could unexpectedly redirect a user to a
different host. An attacker could exploit this, for example, by redirecting
users to a phishing site designed to ask for user's passwords.
To remedy this, URL reversing now ensures that no URL starts with two slashes
(//), replacing the second slash with its URL encoded counterpart (%2F). This
approach ensures that semantics stay the same, while making the URL relative to
the domain and not to the scheme.
Bugfixes
========