Date: Wed, 14 May 2014 23:08:02 -0400 (EDT) From: cve-assign@...re.org To: carnil@...ian.org Cc: cve-assign@...re.org, oss-security@...ts.openwall.com, security@...ngoproject.com Subject: Re: CVE Reuest: Django: Malformed URLs from user input incorrectly validated -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > https://www.djangoproject.com/weblog/2014/may/14/security-releases-issued/ > It also fixes a second issue, for which a CVE is missing, quoting from > the announcement: >> Issue: Malformed URLs from user input incorrectly validated >> The validation for redirects did not correctly validate some malformed >> URLs, which are accepted by some browsers. This allows a user to be >> redirected to an unsafe URL unexpectedly. >> >> Django relies on user input in some cases (e.g. >> django.contrib.auth.views.login, django.contrib.comments, and i18n) to >> redirect the user to an "on success" URL. The security checks for >> these redirects (namely django.util.http.is_safe_url()) did not >> correctly validate some malformed URLs, such as >> http:\\\djangoproject.com, which are accepted by some browsers with >> more liberal URL parsing. >> >> To remedy this, the validation in is_safe_url() has been tightened to >> be able to handle and correctly validate these malformed URLs. > https://github.com/django/django/commit/255449c1ee61c14778658caae8c430fa4d76afd6 > url = url.replace('\\', '/') > > if url.startswith('///'): > return False > > Forbid URLs like http:///example.com - with a scheme, but without a hostname. Use CVE-2014-3730. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJTdC8jAAoJEKllVAevmvmsX9kIAKlhUlg8UwBHt/xmmPAwiXjs WrMV5kbkEvEDjfz2IWYY3We8NkGeuSLFzD27j8LaBSzeS6c6ARX57B5xfXZMLnV6 2wmXl75mz/vZFc9+7IYtMZ53nbOE7I5occLi69zH0gX208uuW3F+hFqf6735sYgt FGoXIZfkfDYA+j8fyXlxkfDPMVKolsiFGfidgbmK7J3D3YPBshneI77wYq//nwlO ihSs55P+T9tZctlOUfdBvSWzIzbOfi3w3WcXcFPE+n61XpHpVq7bDeCB/GlpBkcA GiyVT9mkM9dC1CykY4WGbQUoXP9JZ4fg/eoowXnKNn8q20/e5pHCHhM2vBkYVxw= =LjKL -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ