Last active
January 7, 2018 21:25
-
-
Save codeadict/98f730b2a36d9a8466771dd6904beb38 to your computer and use it in GitHub Desktop.
Pipenv security check
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ pipenv check | |
| Checking PEP 508 requirements… | |
| Passed! | |
| Checking installed package safety… | |
| 33300: django >=1.10,<1.10.7 resolved (1.10.1 installed)! | |
| CVE-2017-7233: Open redirect and possible XSS attack via user-supplied numeric redirect URLs | |
| ============================================================================================ | |
| Django relies on user input in some cases (e.g. | |
| :func:`django.contrib.auth.views.login` and :doc:`i18n </topics/i18n/index>`) | |
| to redirect the user to an "on success" URL. The security check for these | |
| redirects (namely ``django.utils.http.is_safe_url()``) considered some numeric | |
| URLs (e.g. ``http:999999999``) "safe" when they shouldn't be. | |
| Also, if a developer relies on ``is_safe_url()`` to provide safe redirect | |
| targets and puts such a URL into a link, they could suffer from an XSS attack. | |
| ... |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment