Remove or update is_safe_url?
moggers87 opened this issue · comments
This package currently has a copy of Django's is_safe_url
in elevate.utils
because older versions of Django have vulnerabilities. Upstream didn't record which versions of Django are vulnerable or which version of Django they took is_safe_url
from, so we need to do the following:
- Work out which version of Django
is_safe_url
was taken from - Find out which versions of Django are affected and if there are additional vulnerabilities with the current version
- Either remove or update
is_safe_url
depending on what's what
So the version we have in this package is from Django 1.9, this fix was also backported to 1.7 and 1.8. Therefore we can remove django-elevent's copy of that is_safe_url
without making applications unsafe.
This copy of is_safe_url
is also out of sync with upstream: a fix for CVE-2017-7233 has been applied to all versions of Django that we currently support except 1.7. Therefore, I think this is a good time to remove Django 1.7 support too.
Nice sleuthing, Matt. I agree that this is a good time to remove Django 1.7 support and is_safe_url
.