CVE-2017-7233

Advisory

Django version 1.10.7, 1.9.13 and 1.8.18 include a fix for CVE-2017-7233: Django 1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18 relies on user input in some cases to redirect the user to an "on success" URL. The security check for these redirects (namely 'django.utils.http.is_safe_url()') considered some numeric URLs "safe" when they shouldn't be, aka an open redirect vulnerability. Also, if a developer relies on 'is_safe_url()' to provide safe redirect targets and puts such a URL into a link, they could suffer from an XSS attack.
https://www.djangoproject.com/weblog/2017/apr/04/security-releases/

Affected package

Affected versions

Fixed versions

Vulnerability changelog

===========================

*April 4, 2017*

Django 1.10.7 fixes two security issues and a bug in 1.10.6.

CVE-2017-7233: Open redirect and possible XSS attack via user-supplied numeric redirect URLs
============================================================================================

Django relies on user input in some cases (e.g.
:func:`django.contrib.auth.views.login` and :doc:`i18n </topics/i18n/index>`)
to redirect the user to an "on success" URL. The security check for these
redirects (namely ``django.utils.http.is_safe_url()``) considered some numeric
URLs (e.g. ``http:999999999``) "safe" when they shouldn't be.

Also, if a developer relies on ``is_safe_url()`` to provide safe redirect
targets and puts such a URL into a link, they could suffer from an XSS attack.

CVE-2017-7234: Open redirect vulnerability in ``django.views.static.serve()``
=============================================================================

A maliciously crafted URL to a Django site using the
:func:`~django.views.static.serve` view could redirect to any other domain. The
view no longer does any redirects as they don't provide any known, useful
functionality.

Note, however, that this view has always carried a warning that it is not
hardened for production use and should be used only as a development aid.

Bugfixes
========

* Made admin's ``RelatedFieldWidgetWrapper`` use the wrapped widget's
``value_omitted_from_data()`` method (:ticket:`27905`).

* Fixed model form ``default`` fallback for ``SelectMultiple``
(:ticket:`27993`).


===========================

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7233
• https://www.djangoproject.com/weblog/2017/apr/04/security-releases/
• http://www.securityfocus.com/bid/97406
• http://www.securitytracker.com/id/1038177
• http://www.debian.org/security/2017/dsa-3835
• https://access.redhat.com/errata/RHSA-2017:3093
• https://access.redhat.com/errata/RHSA-2017:1596
• https://access.redhat.com/errata/RHSA-2017:1470
• https://access.redhat.com/errata/RHSA-2017:1462
• https://access.redhat.com/errata/RHSA-2017:1451
• https://access.redhat.com/errata/RHSA-2017:1445
• https://access.redhat.com/errata/RHSA-2018:2927