Opened 7 days ago
Last modified 7 days ago
#36000 assigned Cleanup/optimization
Update default from http to https in urlize when protocol not provided
| Reported by: | Saravana | Owned by: | Saravana |
|---|---|---|---|
| Component: | Template system | Version: | 5.1 |
| Severity: | Normal | Keywords: | |
| Cc: | Saravana | Triage Stage: | Accepted |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | yes | UI/UX: | no |
Description (last modified by )
In django/utils/html.py, urlize there is:
url = smart_urlquote("http://%s" % html.unescape(middle))
When user input does not include a protocol it defaults to http (Insecure Protocol).
Example :
Considered a web app using urlize() for password reset email template
input = "Password reset link myapp.com/password/reset/{token}"
output:
"Password reset link <a href="http://myapp.com/password/reset/{token}"/>"
so when end user of myapp clicks it the url with token sent in http insecure protocol.
This behavior could potentially lead to man-in-the-middle attacks
Suggested Fix:
Default to HTTPS: If the URL doesn't specify a protocol, Django could default to https://
Change History (3)
comment:1 by , 7 days ago
| Description: | modified (diff) |
|---|---|
| Has patch: | unset |
| Summary: | Insecure URL Handling (HTTP Protocol Default) in urlize → Update default from http to https in urlize when protocol not provided |
| Triage Stage: | Unreviewed → Accepted |
comment:2 by , 7 days ago
| Component: | HTTP handling → Template system |
|---|
comment:3 by , 7 days ago
| Owner: | set to |
|---|---|
| Status: | new → assigned |
Note:
See TracTickets
for help on using tickets.
Thank you!
Note that the security team discussed this and agreed this can be handled publicly. This is similar to #34380.