mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-08-25 04:54:45 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

[2.1.x] Fixed CVE-2018-14574 -- Fixed open redirect possibility in CommonMiddleware.

Browse source
This commit is contained in:
Andreas Hug 2018-07-24 16:18:17 -04:00 committed by Tim Graham
parent b323425661
commit c4e5ff7fdb
8 changed files with 78 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

19
tests/middleware/tests.py
View file

@ -130,6 +130,25 @@ class CommonMiddlewareTest(SimpleTestCase):
self.assertEqual(r.status_code, 301)
self.assertEqual(r.url, '/needsquoting%23/')
@override_settings(APPEND_SLASH=True)
def test_append_slash_leading_slashes(self):
"""
Paths starting with two slashes are escaped to prevent open redirects.
If there's a URL pattern that allows paths to start with two slashes, a
request with path //evil.com must not redirect to //evil.com/ (appended
slash) which is a schemaless absolute URL. The browser would navigate
to evil.com/.
"""
# Use 4 slashes because of RequestFactory behavior.
request = self.rf.get('////evil.com/security')
response = HttpResponseNotFound()
r = CommonMiddleware().process_request(request)
self.assertEqual(r.status_code, 301)
self.assertEqual(r.url, '/%2Fevil.com/security/')
r = CommonMiddleware().process_response(request, response)
self.assertEqual(r.status_code, 301)
self.assertEqual(r.url, '/%2Fevil.com/security/')
@override_settings(APPEND_SLASH=False, PREPEND_WWW=True)
def test_prepend_www(self):
request = self.rf.get('/path/')