#23330: RedirectResponse option to check the host of the url
-------------------------------+--------------------------------------
Reporter: doctormo | Owner: nobody
Type: Uncategorized | Status: new
Component: HTTP handling | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Unreviewed
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------+--------------------------------------
Comment (by doctormo):
Sorry for the lack of response Tim, I'm unsure how to answer the question.
The security depends on the web-form being modified, on page or in
transit. So a form that would redirect internally suddenly starts
redirecting out to a spoof website without the user's knowledge or
recognition. Normally the url for redirects is something the server
specifies directly, while links are something the user/client deals with.
The hole here is where the server starts redirecting to other servers even
when not intending to.
One of the questions I think is: Would devs have to monkey patch the
functionality in or write awkward code in order to get this functionality.
Considering the url is already parsed and we have the data ready to check,
it's an ideal place to add the functionality.
--
Ticket URL: <https://code.djangoproject.com/ticket/23330#comment:6>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/066.3ae1199adec0d2b9fc6f5e56085bb66e%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
