[Bug 1212059] [NEW] Possible XSS via is_safe_url
Chris Johnston
chris.johnston at canonical.com
Wed Aug 14 01:10:41 UTC 2013
*** This bug is a security vulnerability ***
Public security bug reported:
"The is_safe_url() function works as intended for HTTP and HTTPS URLs,
but due to the manner in which it parses the URL, will permit redirects
to other schemes, such as javascript:. While the Django project is
unaware of any demonstrated ability to perform cross-site scripting
attacks via this mechanism, the potential for such is sufficient to
trigger a security response."
https://www.djangoproject.com/weblog/2013/aug/13/security-releases-
issued/
** Affects: python-django (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to python-django in Ubuntu.
https://bugs.launchpad.net/bugs/1212059
Title:
Possible XSS via is_safe_url
Status in “python-django” package in Ubuntu:
New
Bug description:
"The is_safe_url() function works as intended for HTTP and HTTPS URLs,
but due to the manner in which it parses the URL, will permit
redirects to other schemes, such as javascript:. While the Django
project is unaware of any demonstrated ability to perform cross-site
scripting attacks via this mechanism, the potential for such is
sufficient to trigger a security response."
https://www.djangoproject.com/weblog/2013/aug/13/security-releases-
issued/
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-django/+bug/1212059/+subscriptions
More information about the foundations-bugs
mailing list