Hi all,
Django provides a function `django.utils.is_safe_url()` to ensure that a given
URL (absolute or relative) is safe to redirect to. I needed that functionality
on another project that doesn't use Django at all. I thus built a standalone
is-safe-url Python package that can be installed from PyPI and exposes exactly
that functionality:
$ pip install is-safe-url
Collecting is-safe-url
Downloading https://files.pythonhosted.org/packages/7a/c3
/40c363bc4c3d0ddcda3489239ba64752b8c18cb6493e058f8f1b73154925/is_safe_url-1.0-py3-none-any.whl
Installing collected packages: is-safe-url
Successfully installed is-safe-url-1.0
The code is available on GitLab: https://gitlab.com/MarkusH/is_safe_url
I'd love to get some feedback on a couple of things:
- As Django is published under the BSD-3 clause license, the standalone package
is published under the same license. I'd love some feedback if the package
adheres to the required references and naming of the source.
- I added a note that security issues should be reported privately to the
Django security team at secur...@djangoproject.com or me personally (I'm a
member of the security team and could forward the report accordingly). Are
there suggestions how the statement in the README could be made more clear?
- The package is available for Python 2.7, 3.4, 3.5, 3.6, and 3.7. Should I
keep 2.7 or drop it? I know some people are still on 2.7 and 2.7 is still
supported for another 2 years.
- How would security releases work? When there's a security report against
Django's built-in is_safe_url(), this package would need to be released as well.
- Jannis Leidel raised a valid concern about abandonment of this or similar
packages (thanks!): "I'm mostly worried about abandonment of packages (from
experience) that makes maintenance of sec infrastructure brittle." —
https://twitter.com/jezdez/status/1049955307558981634
I want to approach the latter concern about abandonment upfront. But I don't
have a clear answer or solution to it yet.
- Would it be useful to have this package under the Django GitHub org?
- If so, should Django possibly depend on that package by itself? Given how
often Django had security releases because of issues in `is_safe_url()`
releasing a smaller package and not the full Django package could possibly be
beneficial.
- Does somebody from the security team want or should be another maintainer?
Thanks for reading.
Markus
--
You received this message because you are subscribed to the Google Groups
"Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-developers/1539165995.555224.1537024600.56847611%40webmail.messagingengine.com.
For more options, visit https://groups.google.com/d/optout.
