[1.9.x] Fixed CVE-2016-2512 -- Prevented spoofing is_safe_url() with basic auth.

mstriemer · timgraham · commit fc6d147a63f8 · 2016-03-01T11:38:49.000-05:00
This is a security fix.
diff --git a/django/utils/http.py b/django/utils/http.py
@@ -290,8 +290,12 @@ def is_safe_url(url, host=None):
         url = url.strip()
     if not url:
         return False
-    # Chrome treats \ completely as /
-    url = url.replace('\\', '/')
+    # Chrome treats \ completely as / in paths but it could be part of some
+    # basic auth credentials so we need to check both URLs.
+    return _is_safe_url(url, host) and _is_safe_url(url.replace('\\', '/'), host)
+
+
+def _is_safe_url(url, host):
     # Chrome considers any URL with more than two slashes to be absolute, but
     # urlparse is not so flexible. Treat any url with three slashes as unsafe.
     if url.startswith('///'):
diff --git a/docs/releases/1.8.10.txt b/docs/releases/1.8.10.txt
@@ -6,6 +6,22 @@ Django 1.8.10 release notes
 
 Django 1.8.10 fixes two security issues and several bugs in 1.8.9.
 
+CVE-2016-2512: Malicious redirect and possible XSS attack via user-supplied redirect URLs containing basic auth
+===============================================================================================================
+
+Django relies on user input in some cases (e.g.
+:func:`django.contrib.auth.views.login` and :doc:`i18n </topics/i18n/index>`)
+to redirect the user to an "on success" URL. The security check for these
+redirects (namely ``django.utils.http.is_safe_url()``) considered some URLs
+with basic authentication credentials "safe" when they shouldn't be.
+
+For example, a URL like ``http://mysite.example.com\@attacker.com`` would be
+considered safe if the request's host is ``http://mysite.example.com``, but
+redirecting to this URL sends the user to ``attacker.com``.
+
+Also, if a developer relies on ``is_safe_url()`` to provide safe redirect
+targets and puts such a URL into a link, they could suffer from an XSS attack.
+
 Bugfixes
 ========
 
diff --git a/docs/releases/1.9.3.txt b/docs/releases/1.9.3.txt
@@ -6,6 +6,22 @@ Django 1.9.3 release notes
 
 Django 1.9.3 fixes two security issues and several bugs in 1.9.2.
 
+CVE-2016-2512: Malicious redirect and possible XSS attack via user-supplied redirect URLs containing basic auth
+===============================================================================================================
+
+Django relies on user input in some cases (e.g.
+:func:`django.contrib.auth.views.login` and :doc:`i18n </topics/i18n/index>`)
+to redirect the user to an "on success" URL. The security check for these
+redirects (namely ``django.utils.http.is_safe_url()``) considered some URLs
+with basic authentication credentials "safe" when they shouldn't be.
+
+For example, a URL like ``http://mysite.example.com\@attacker.com`` would be
+considered safe if the request's host is ``http://mysite.example.com``, but
+redirecting to this URL sends the user to ``attacker.com``.
+
+Also, if a developer relies on ``is_safe_url()`` to provide safe redirect
+targets and puts such a URL into a link, they could suffer from an XSS attack.
+
 Bugfixes
 ========
 
diff --git a/tests/utils_tests/test_http.py b/tests/utils_tests/test_http.py
@@ -92,6 +92,11 @@ def test_is_safe_url(self):
                         'javascript:alert("XSS")',
                         '\njavascript:alert(x)',
                         '\x08//example.com',
+                        r'http://otherserver\@example.com',
+                        r'http:\\testserver\@example.com',
+                        r'http://testserver\me:pass@example.com',
+                        r'http://testserver\@example.com',
+                        r'http:\\testserver\confirm\me@example.com',
                         '\n'):
             self.assertFalse(http.is_safe_url(bad_url, host='testserver'), "%s should be blocked" % bad_url)
         for good_url in ('/view/?param=http://example.com',
@@ -101,8 +106,15 @@ def test_is_safe_url(self):
                      'https://testserver/',
                      'HTTPS://testserver/',
                      '//testserver/',
+                     'http://testserver/confirm?email=me@example.com',
                      '/url%20with%20spaces/'):
             self.assertTrue(http.is_safe_url(good_url, host='testserver'), "%s should be allowed" % good_url)
+        # Valid basic auth credentials are allowed.
+        self.assertTrue(http.is_safe_url(r'http://user:pass@testserver/', host='user:pass@testserver'))
+        # A path without host is allowed.
+        self.assertTrue(http.is_safe_url('/confirm/me@example.com'))
+        # Basic auth without host is not allowed.
+        self.assertFalse(http.is_safe_url(r'http://testserver\@example.com'))
 
     def test_urlsafe_base64_roundtrip(self):
         bytestring = b'foo'
