oss-sec mailing list archives
Re: CVE Reuest: Django: Malformed URLs from user input incorrectly validated
From: cve-assign () mitre org
Date: Wed, 14 May 2014 23:08:02 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
https://www.djangoproject.com/weblog/2014/may/14/security-releases-issued/
It also fixes a second issue, for which a CVE is missing, quoting from the announcement:
Issue: Malformed URLs from user input incorrectly validated The validation for redirects did not correctly validate some malformed URLs, which are accepted by some browsers. This allows a user to be redirected to an unsafe URL unexpectedly. Django relies on user input in some cases (e.g. django.contrib.auth.views.login, django.contrib.comments, and i18n) to redirect the user to an "on success" URL. The security checks for these redirects (namely django.util.http.is_safe_url()) did not correctly validate some malformed URLs, such as http:\\\djangoproject.com, which are accepted by some browsers with more liberal URL parsing. To remedy this, the validation in is_safe_url() has been tightened to be able to handle and correctly validate these malformed URLs.
https://github.com/django/django/commit/255449c1ee61c14778658caae8c430fa4d76afd6
url = url.replace('\\', '/') if url.startswith('///'): return False Forbid URLs like http:///example.com - with a scheme, but without a hostname.
Use CVE-2014-3730. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJTdC8jAAoJEKllVAevmvmsX9kIAKlhUlg8UwBHt/xmmPAwiXjs WrMV5kbkEvEDjfz2IWYY3We8NkGeuSLFzD27j8LaBSzeS6c6ARX57B5xfXZMLnV6 2wmXl75mz/vZFc9+7IYtMZ53nbOE7I5occLi69zH0gX208uuW3F+hFqf6735sYgt FGoXIZfkfDYA+j8fyXlxkfDPMVKolsiFGfidgbmK7J3D3YPBshneI77wYq//nwlO ihSs55P+T9tZctlOUfdBvSWzIzbOfi3w3WcXcFPE+n61XpHpVq7bDeCB/GlpBkcA GiyVT9mkM9dC1CykY4WGbQUoXP9JZ4fg/eoowXnKNn8q20/e5pHCHhM2vBkYVxw= =LjKL -----END PGP SIGNATURE-----
Current thread:
- CVE Reuest: Django: Malformed URLs from user input incorrectly validated Salvatore Bonaccorso (May 14)
- Re: CVE Reuest: Django: Malformed URLs from user input incorrectly validated cve-assign (May 14)