justinmayer / django-elevate

Protect your sensitive Django views by requiring re-authentication

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Remove or update is_safe_url?

moggers87 opened this issue · comments

This package currently has a copy of Django's is_safe_url in elevate.utils because older versions of Django have vulnerabilities. Upstream didn't record which versions of Django are vulnerable or which version of Django they took is_safe_url from, so we need to do the following:

  • Work out which version of Django is_safe_url was taken from
  • Find out which versions of Django are affected and if there are additional vulnerabilities with the current version
  • Either remove or update is_safe_url depending on what's what

So the version we have in this package is from Django 1.9, this fix was also backported to 1.7 and 1.8. Therefore we can remove django-elevent's copy of that is_safe_url without making applications unsafe.

This copy of is_safe_url is also out of sync with upstream: a fix for CVE-2017-7233 has been applied to all versions of Django that we currently support except 1.7. Therefore, I think this is a good time to remove Django 1.7 support too.

Nice sleuthing, Matt. I agree that this is a good time to remove Django 1.7 support and is_safe_url.