CVE Reuest: Django: Malformed URLs from user input incorrectly validated

[Salvatore Bonaccorso <carnil () debian org>]

Hi

The Django project announced a new security release today:

https://www.djangoproject.com/weblog/2014/may/14/security-releases-issued/

It fixes two issues, for which one has already a CVE (CVE-2014-1418).
It also fixes a second issue, for which a CVE is missing, quoting from
the announcement:

> Issue: Malformed URLs from user input incorrectly validated
> The validation for redirects did not correctly validate some malformed
> URLs, which are accepted by some browsers. This allows a user to be
> redirected to an unsafe URL unexpectedly.
>
> Django relies on user input in some cases (e.g.
> django.contrib.auth.views.login, django.contrib.comments, and i18n) to
> redirect the user to an "on success" URL. The security checks for
> these redirects (namely django.util.http.is_safe_url()) did not
> correctly validate some malformed URLs, such as
> http:\\\djangoproject.com, which are accepted by some browsers with
> more liberal URL parsing.
>
> To remedy this, the validation in is_safe_url() has been tightened to
> be able to handle and correctly validate these malformed URLs.
>
> Thanks to Peter Kuma and Gavin Wahl for reporting this issue to us.

Fixes for the various branches are also referenced. Could a CVE also
be assigned for this second issue?

Thanks in advance.

Regards,
Salvatore