#5227: Redirect security check in login code is incomplete
-----------------------------------------------------------------+----------
Reporter: Sander Dijkhuis <[email protected] |
Owner: adrian
Status: reopened |
Milestone:
Component: Contrib apps |
Version: 1.0
Resolution: |
Keywords: auth
Stage: Unreviewed |
Has_patch: 0
Needs_docs: 0 |
Needs_tests: 0
Needs_better_patch: 0 |
-----------------------------------------------------------------+----------
Changes (by [email protected]):
* status: closed => reopened
* version: SVN => 1.0
* resolution: fixed =>
Comment:
I believe that the implemented fix is overly broad. My concrete example is
the OAuth token authorization cycle. In order for a user to authorize the
token a GET request is made to the OAuth provider with an oauth_callback
parameter containing the callback URL. Properly escaped this parameter
will look like this:
{{{
oauth_callback=http%3D//example.com/
}}}
Given that the check for '//' in the redirect checks the entire string, a
query parameter as above will cause the security check to be triggered and
the user will be redirected incorrectly.
If the concern is that a redirect request that starts with '//' could
(that's a big "could" because I believe that it's browser dependent what
the behavior would be) then I think the appropriate fix is to change the
check to this:
{{{
if not redirect_to redirect_to.startswith('//') or '://' in redirect_to or
' ' in redirect_to:
}}}
--
Ticket URL: <http://code.djangoproject.com/ticket/5227#comment:3>
Django <http://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/django-updates?hl=en
-~----------~----~----~----~------~----~------~--~---
