Fixed CVE-2016-2512 -- Prevented spoofing is_safe_url() with basic auth.

This is a security fix.
2025-10-24 22:26:08 +00:00 · 2016-02-22 16:47:01 -05:00
parent f43291639b
commit c5544d2892
4 changed files with 50 additions and 2 deletions
--- a/django/utils/http.py
+++ b/django/utils/http.py
@@ -290,8 +290,12 @@ def is_safe_url(url, host=None):
        url = url.strip()
    if not url:
        return False
-    # Chrome treats \ completely as /
-    url = url.replace('\\', '/')
+    # Chrome treats \ completely as / in paths but it could be part of some
+    # basic auth credentials so we need to check both URLs.
+    return _is_safe_url(url, host) and _is_safe_url(url.replace('\\', '/'), host)
+
+
+def _is_safe_url(url, host):
    # Chrome considers any URL with more than two slashes to be absolute, but
    # urlparse is not so flexible. Treat any url with three slashes as unsafe.
    if url.startswith('///'):