You should probably be addressing urllib devs with this inquiry (e.g. such vuln is then probably in many other web frameworks). Anyhow, just out of curiosity, wouldn't it be possible to use functools.partial function to replace urllib.parse.urlparse with ada-python in settings.py? Or make some kind of django extension that integrates this other dependency?
On Mon, Apr 1, 2024 at 10:37 PM 'Michael Lissner' via Django developers (Contributions to Django itself) <django-developers@googlegroups.com> wrote: > Hi all, > > A few years ago, I reported a vulnerability in Django because Python > wasn't parsing URLs containing tabs or newlines correctly. In this ticket, > it was fixed in Python: > > https://bugs.python.org/issue43882 > > But Python, being maintained mostly by volunteers, did the minimum needed > work to fix the vulnerability without really fixing the urlparse library > properly. > > This means that it's probably still possible to send a URL to django that > urlparse doesn't know how to handle. When this happens: > > 1. It could still be a vulnerability.* If this is the case, Django could > redirect people to domains where it shouldn't. > > 2. It could fail to parse the URL properly, leading to the wrong URL being > provided to the user. > > 3. urlparse could decide it's an invalid URL even though it's not. > > This is all pretty bad, but there is some hope in the form of a tool > called Ada, which aims to actually support URL parsing properly: > > Homepage: https://www.ada-url.com/ > Github (more useful, really): https://github.com/ada-url/ada > > It's written in C++, is used in Node and Cloudflare Workers. It has > bindings for Python, Rust, R, and Go. It's licensed under MIT and Apache > License 2.0. It's fuzzed by Google OSS Fuzzer, and it's much faster than > urlparse. > > I'm curious: Would Django consider switching to this library? I'm not sure > if I'll have time to do the work, but I can at least open an issue if it's > a useful switch to make, and I might be able to assign a developer to it if > this is something we want. > > Love to hear thoughts, > > Mike > > > * I'm posting this publicly because this kind of vulnerability is really > well known these days, and exists across most general-purpose languages. > URLs are just very difficult to parse properly. > > -- > You received this message because you are subscribed to the Google Groups > "Django developers (Contributions to Django itself)" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to django-developers+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/django-developers/f31bc17b-c0c5-4ce4-9999-7d1ec3dfe90bn%40googlegroups.com > <https://groups.google.com/d/msgid/django-developers/f31bc17b-c0c5-4ce4-9999-7d1ec3dfe90bn%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CABKWZPkFZFnxSLfxVZT_%2B69Yfyem4ZALK-s7HOtUGXs5%2Bs7J4w%40mail.gmail.com.
