mirrors/cpython
1
0
Fork 0
mirror of https://github.com/python/cpython.git synced 2025-08-04 17:08:35 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 13

[3.13] Added a warning to the urljoin docs, indicating that it is not safe to use with attacker controlled URLs (GH-126659) (#126888)

Browse source 
Added a warning to the urljoin docs, indicating that it is not safe to use with attacker controlled URLs (GH-126659)

This was flagged to me at a party today by someone who works in red-teaming as a frequently encountered footgun. Documenting the potentially unexpected behavior seemed like a good place to start.
(cherry picked from commit d6bcc154e9)

Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
This commit is contained in:
Miss Islington (bot) 2024-11-16 00:15:27 +01:00 committed by GitHub
parent 7be8743bd1
commit c8962104f2
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 9 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

9
Doc/library/urllib.parse.rst
View file

@ -403,6 +403,15 @@ or on combining URL components into a URL string.
If you do not want that behavior, preprocess the *url* with :func:`urlsplit` and
:func:`urlunsplit`, removing possible *scheme* and *netloc* parts.
.. warning::
Because an absolute URL may be passed as the ``url`` parameter, it is
generally **not secure** to use ``urljoin`` with an attacker-controlled
``url``. For example in,
``urljoin("https://website.com/users/", username)``, if ``username`` can
contain an absolute URL, the result of ``urljoin`` will be the absolute
URL.
.. versionchanged:: 3.5