[2.1.x] Fixed CVE-2018-14574 -- Fixed open redirect possibility in CommonMiddleware.

2025-08-21 19:14:36 +00:00 · 2018-07-24 16:18:17 -04:00 · 2018-07-24 16:18:17 -04:00 · c4e5ff7fdb
commit c4e5ff7fdb
parent b323425661
8 changed files with 78 additions and 8 deletions
--- a/docs/releases/1.11.15.txt
+++ b/docs/releases/1.11.15.txt
@ -5,3 +5,16 @@ Django 1.11.15 release notes
 *August 1, 2018*

 Django 1.11.15 fixes a security issue in 1.11.14.
+
+CVE-2018-14574: Open redirect possibility in ``CommonMiddleware``
+=================================================================
+
+If the :class:`~django.middleware.common.CommonMiddleware` and the
+:setting:`APPEND_SLASH` setting are both enabled, and if the project has a
+URL pattern that accepts any path ending in a slash (many content management
+systems have such a pattern), then a request to a maliciously crafted URL of
+that site could lead to a redirect to another site, enabling phishing and other
+attacks.
+
+``CommonMiddleware`` now escapes leading slashes to prevent redirects to other
+domains.
--- a/docs/releases/2.0.8.txt
+++ b/docs/releases/2.0.8.txt
@ -6,6 +6,19 @@ Django 2.0.8 release notes

 Django 2.0.8 fixes a security issue and several bugs in 2.0.7.

+CVE-2018-14574: Open redirect possibility in ``CommonMiddleware``
+=================================================================
+
+If the :class:`~django.middleware.common.CommonMiddleware` and the
+:setting:`APPEND_SLASH` setting are both enabled, and if the project has a
+URL pattern that accepts any path ending in a slash (many content management
+systems have such a pattern), then a request to a maliciously crafted URL of
+that site could lead to a redirect to another site, enabling phishing and other
+attacks.
+
+``CommonMiddleware`` now escapes leading slashes to prevent redirects to other
+domains.
+
 Bugfixes
 ========