https://github.com/python/cpython/commit/797a6327cc8974bb6a692b0761d425392776ae6f
commit: 797a6327cc8974bb6a692b0761d425392776ae6f
branch: 3.12
author: Miss Islington (bot) <31488909+miss-isling...@users.noreply.github.com>
committer: Eclips4 <kirill.ba...@mail.ru>
date: 2024-11-15T23:17:37Z
summary:
[3.12] Added a warning to the urljoin docs, indicating that it is not safe to
use with attacker controlled URLs (GH-126659) (#126889)
Added a warning to the urljoin docs, indicating that it is not safe to use with
attacker controlled URLs (GH-126659)
This was flagged to me at a party today by someone who works in red-teaming as
a frequently encountered footgun. Documenting the potentially unexpected
behavior seemed like a good place to start.
(cherry picked from commit d6bcc154e93a0a20ab97187d3e8b726fffb14f8f)
Co-authored-by: Alex Gaynor <alex.gay...@gmail.com>
files:
M Doc/library/urllib.parse.rst
diff --git a/Doc/library/urllib.parse.rst b/Doc/library/urllib.parse.rst
index 27909b763e9e43..b32b4af1aa84bf 100644
--- a/Doc/library/urllib.parse.rst
+++ b/Doc/library/urllib.parse.rst
@@ -395,6 +395,15 @@ or on combining URL components into a URL string.
If you do not want that behavior, preprocess the *url* with
:func:`urlsplit` and
:func:`urlunsplit`, removing possible *scheme* and *netloc* parts.
+ .. warning::
+
+ Because an absolute URL may be passed as the ``url`` parameter, it is
+ generally **not secure** to use ``urljoin`` with an attacker-controlled
+ ``url``. For example in,
+ ``urljoin("https://website.com/users/";, username)``, if ``username`` can
+ contain an absolute URL, the result of ``urljoin`` will be the absolute
+ URL.
+
.. versionchanged:: 3.5
_______________________________________________
Python-checkins mailing list -- python-checkins@python.org
To unsubscribe send an email to python-checkins-le...@python.org
https://mail.python.org/mailman3/lists/python-checkins.python.org/
Member address: arch...@mail-archive.com
