Possible XSS via is_safe_url
Bug #1212059 reported by
Chris Johnston
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| python-django (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
| Lucid |
Won't Fix
|
Undecided
|
Unassigned | ||
| Precise |
Won't Fix
|
Undecided
|
Unassigned | ||
| Quantal |
Won't Fix
|
Undecided
|
Unassigned | ||
| Raring |
Won't Fix
|
Undecided
|
Unassigned | ||
| Saucy |
Fix Released
|
Undecided
|
Unassigned | ||
Bug Description
"The is_safe_url() function works as intended for HTTP and HTTPS URLs, but due to the manner in which it parses the URL, will permit redirects to other schemes, such as javascript:. While the Django project is unaware of any demonstrated ability to perform cross-site scripting attacks via this mechanism, the potential for such is sufficient to trigger a security response."
https:/
| Changed in python-django (Ubuntu Saucy): | |
| status: | New → Fix Released |
| Changed in python-django (Ubuntu Lucid): | |
| status: | New → Triaged |
| Changed in python-django (Ubuntu Precise): | |
| status: | New → Triaged |
| Changed in python-django (Ubuntu Quantal): | |
| status: | New → Triaged |
| Changed in python-django (Ubuntu Raring): | |
| status: | New → Triaged |
| Changed in python-django (Ubuntu Raring): | |
| status: | Triaged → Won't Fix |
| Changed in python-django (Ubuntu Quantal): | |
| status: | Triaged → Won't Fix |
Revision history for this message
| Rolf Leggewie (r0lf) wrote | #1 |
| Changed in python-django (Ubuntu Lucid): | |
| status: | Triaged → Won't Fix |
Revision history for this message
| Steve Langasek (vorlon) wrote | #2 |
| Changed in python-django (Ubuntu Precise): | |
| status: | Triaged → Won't Fix |
To post a comment you must log in.
lucid has seen the end of its life and is no longer receiving any updates. Marking the lucid task for this ticket as "Won't Fix".