Re: [Django] #36000: Update default from http to https in urlize when protocol not provided (was: Insecure URL Handling (HTTP Protocol Default) in urlize)

[Django]

#36000: Update default from http to https in urlize when protocol not provided
--------------------------------------+------------------------------------
     Reporter:  saravana-hackz        |                    Owner:  (none)
         Type:  Cleanup/optimization  |                   Status:  new
    Component:  HTTP handling         |                  Version:  5.1
     Severity:  Normal                |               Resolution:
     Keywords:                        |             Triage Stage:  Accepted
    Has patch:  0                     |      Needs documentation:  0
  Needs tests:  0                     |  Patch needs improvement:  0
Easy pickings:  1                     |                    UI/UX:  0
--------------------------------------+------------------------------------
Changes (by Sarah Boyce):

 * has_patch:  1 => 0
 * stage:  Unreviewed => Accepted
 * summary:  Insecure URL Handling (HTTP Protocol Default) in urlize =>
     Update default from http to https in urlize when protocol not provided


Old description:

> Hi Team,
> In django/utils/html.py  ,Line no 347 ,Due to following code,
> url = smart_urlquote("http://%s"; % html.unescape(middle))
>
> When user input does not include protocol it defaultly prefers http
> (Insecure Protocol).
> Example :
> Considered a web app using urlize() for password reset email template
> input = Password reset link myapp.com/password/reset/{token}
> output,
> Password reset link <a href="http://myapp.com/password/reset/{token}"/>
> so when end user of myapp clicks it the url with token sent in http
> insecure protocol.
>
> This behavior could potentially lead to man-in-the-middle attacks
>
> Suggested Fix:
> Default to HTTPS: If the URL doesn't specify a protocol, Django could
> default to https://

New description:

 In `django/utils/html.py`, `urlize` there is:
 {{{
 url = smart_urlquote("http://%s"; % html.unescape(middle))
 }}}

 When user input does not include a protocol it defaults to http (Insecure
 Protocol).

 Example :
 Considered a web app using `urlize()` for password reset email template
 {{{
 input = "Password reset link myapp.com/password/reset/{token}"
 }}}
 output:
 {{{
 "Password reset link <a href="http://myapp.com/password/reset/{token}"/>"
 }}}

 so when end user of myapp clicks it the url with token sent in http
 insecure protocol.
 This behavior could potentially lead to man-in-the-middle attacks

 Suggested Fix:
 Default to HTTPS: If the URL doesn't specify a protocol, Django could
 default to https://

--
Comment:

 Thank you!
 Note that the security team discussed this and agreed this can be handled
 publicly. This is similar to #34380.
-- 
Ticket URL: <https://code.djangoproject.com/ticket/36000#comment:1>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion visit 
https://groups.google.com/d/msgid/django-updates/01070193b6a45680-63076989-e4fa-446f-ae72-6a055d6206a4-000000%40eu-central-1.amazonses.com.