Opened 7 days ago
Last modified 7 days ago
#36000 assigned Cleanup/optimization
Insecure URL Handling (HTTP Protocol Default) in urlize — at Initial Version
| Reported by: | Saravana | Owned by: | |
|---|---|---|---|
| Component: | Template system | Version: | 5.1 |
| Severity: | Normal | Keywords: | |
| Cc: | Saravana | Triage Stage: | Accepted |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | yes | UI/UX: | no |
Description
Hi Team,
In django/utils/html.py ,Line no 347 ,Due to following code,
url = smart_urlquote("http://%s" % html.unescape(middle))
When user input does not include protocol it defaultly prefers http (Insecure Protocol).
Example :
Considered a web app using urlize() for password reset email template
input = Password reset link myapp.com/password/reset/{token}
output,
Password reset link <a href="http://myapp.com/password/reset/{token}"/>
so when end user of myapp clicks it the url with token sent in http insecure protocol.
This behavior could potentially lead to man-in-the-middle attacks
Suggested Fix:
Default to HTTPS: If the URL doesn't specify a protocol, Django could default to https://
Note:
See TracTickets
for help on using tickets.