#36000: Insecure URL Handling (HTTP Protocol Default) in urlize
-------------------------------------+-------------------------------------
Reporter: saravana-hackz | Type:
| Cleanup/optimization
Status: new | Component: HTTP
| handling
Version: 5.1 | Severity: Normal
Keywords: | Triage Stage:
| Unreviewed
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
-------------------------------------+-------------------------------------
Hi Team,
In django/utils/html.py ,Line no 347 ,Due to following code,
url = smart_urlquote("http://%s"; % html.unescape(middle))
When user input does not include protocol it defaultly prefers http
(Insecure Protocol).
Example :
Considered a web app using urlize() for password reset email template
input = Password reset link myapp.com/password/reset/{token}
output,
Password reset link <a href="http://myapp.com/password/reset/{token}"/>
so when end user of myapp clicks it the url with token sent in http
insecure protocol.
This behavior could potentially lead to man-in-the-middle attacks
Suggested Fix:
Default to HTTPS: If the URL doesn't specify a protocol, Django could
default to https://
--
Ticket URL: <https://code.djangoproject.com/ticket/36000>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/d/msgid/django-updates/01070193b67429a9-84eef88d-9d17-41ab-9d70-265a12dbc6f7-000000%40eu-central-1.amazonses.com.
