[Django] #26902: Add `secure` argument to `is_safe_url()`

Sat, 16 Jul 2016 11:09:35 -0700 

#26902: Add `secure` argument to `is_safe_url()`
-----------------------------+--------------------
     Reporter:  suligap      |      Owner:  nobody
         Type:  New feature  |     Status:  new
    Component:  Utilities    |    Version:  master
     Severity:  Normal       |   Keywords:
 Triage Stage:  Unreviewed   |  Has patch:  1
Easy pickings:  0            |      UI/UX:  0
-----------------------------+--------------------
 `django.utils.http.is_safe_url()` considers any HTTP and HTTPS url safe as
 long as its hostname matches the `host` argument. Currently this is true:
 `is_safe_url('http://example.com', host='example.com')`.

 Let's add a `secure` argument to `is_safe_url()` so that when it's `True`,
 only HTTPS is considered as a safe scheme.

 The existence of that argument alone would make users aware of potential
 issues that can arise from ignoring it. For example if a developer uses
 `is_safe_url()` to validate user supplied urls for redirection to a target
 with appended secrets as url query params.

 `django.contrib.admin` uses `django.contrib.auth` login view where
 `is_safe_url()` is used to validate the `next` query param. This scenario
 is currently possible:
 - user goes to
 https://example.net/admin/login/?next=http://example.net/admin/foo
 - they enter their credentials and POST to the above url
 - They're successfully authenticated, they receive a response with a new
 session cookie and are redirected to http://example.net/admin/foo

 Of course our HTTPS site should only set `Secure` session cookies and use
 HSTS, so there should be no possibility of the the cookie being sent by
 the user via HTTP. But if the site doesn't set secure cookies and doesn't
 use HSTS, this is a problem. If the site doesn't use secure cookies in the
 first place, then the `secure` param to `is_safe_url()` won't help much..
 but I would argue it still makes the validation more "complete".

--
Ticket URL: <https://code.djangoproject.com/ticket/26902>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/050.e2203dfcce449264bafd61ee5572631d%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to