Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 14 May 2014 21:37:55 +0200
From: Salvatore Bonaccorso <carnil@...ian.org>
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org, security@...ngoproject.com
Subject: CVE Reuest: Django: Malformed URLs from user input incorrectly
 validated

Hi

The Django project announced a new security release today:

https://www.djangoproject.com/weblog/2014/may/14/security-releases-issued/

It fixes two issues, for which one has already a CVE (CVE-2014-1418).
It also fixes a second issue, for which a CVE is missing, quoting from
the announcement:

> Issue: Malformed URLs from user input incorrectly validated
> The validation for redirects did not correctly validate some malformed
> URLs, which are accepted by some browsers. This allows a user to be
> redirected to an unsafe URL unexpectedly.
> 
> Django relies on user input in some cases (e.g.
> django.contrib.auth.views.login, django.contrib.comments, and i18n) to
> redirect the user to an "on success" URL. The security checks for
> these redirects (namely django.util.http.is_safe_url()) did not
> correctly validate some malformed URLs, such as
> http:\\\djangoproject.com, which are accepted by some browsers with
> more liberal URL parsing.
> 
> To remedy this, the validation in is_safe_url() has been tightened to
> be able to handle and correctly validate these malformed URLs.
> 
> Thanks to Peter Kuma and Gavin Wahl for reporting this issue to us.

Fixes for the various branches are also referenced. Could a CVE also
be assigned for this second issue?

Thanks in advance.

Regards,
Salvatore

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ