2

e.g. If the following redirects to evilsite.com from mysite.com https://www.mysite.com/http:%5C%5Cwww.Evilsite.com

I am using django 1.4 hosted on apache using mod_wsgi (latest version)

attaboyabhipro
  • 1,450
  • 1
  • 17
  • 33

1 Answers1

4

Django can not prevent all open redirects attacks automatically.

As a workaround, Django provides a helper function django.utils.http.is_safe_url. You need to check the url manually before passing the url to the redirect function. Don't implement your own your own function. Even the django core developer did not implement it correctly at the first place. Check this security release.

Reference:

Avoid open redirect issue with whitelist

Put protection against unsafe redirects into HttpResponseRedirectBase

Flimm
  • 136,138
  • 45
  • 251
  • 267
Leonardo.Z
  • 9,425
  • 3
  • 35
  • 38
  • Since Django 3.0, `is_safe_url` is deprecated, replaced by [`url_has_allowed_host_and_scheme`](https://github.com/django/django/blob/master/django/utils/http.py#L302) in `django.utils.http`. – Flimm Feb 06 '20 at 16:40
  • And note that url_has_allowed_host_and_scheme is still not safe! On top of using the new function, `url_has_allowed_host_and_scheme`, you should also be sure to encode your URL with the `urlencode` filter. – mlissner Mar 13 '21 at 18:13
  • @mlissner What's the reason it's not safe to just do `url_has_allowed_host_and_scheme`? (without `urlencode`) – qff Oct 01 '21 at 08:49
  • My bad – I found the answer over here: https://stackoverflow.com/a/60372947/118608 – qff Oct 01 '21 at 09:11