[Bug 1212059] [NEW] Possible XSS via is_safe_url

Chris Johnston chris.johnston at canonical.com
Wed Aug 14 01:10:41 UTC 2013


*** This bug is a security vulnerability ***

Public security bug reported:

"The is_safe_url() function works as intended for HTTP and HTTPS URLs,
but due to the manner in which it parses the URL, will permit redirects
to other schemes, such as javascript:. While the Django project is
unaware of any demonstrated ability to perform cross-site scripting
attacks via this mechanism, the potential for such is sufficient to
trigger a security response."

https://www.djangoproject.com/weblog/2013/aug/13/security-releases-
issued/

** Affects: python-django (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to python-django in Ubuntu.
https://bugs.launchpad.net/bugs/1212059

Title:
  Possible XSS via is_safe_url

Status in “python-django” package in Ubuntu:
  New

Bug description:
  "The is_safe_url() function works as intended for HTTP and HTTPS URLs,
  but due to the manner in which it parses the URL, will permit
  redirects to other schemes, such as javascript:. While the Django
  project is unaware of any demonstrated ability to perform cross-site
  scripting attacks via this mechanism, the potential for such is
  sufficient to trigger a security response."

  https://www.djangoproject.com/weblog/2013/aug/13/security-releases-
  issued/

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-django/+bug/1212059/+subscriptions




More information about the foundations-bugs mailing list