Fix potential XSS vulnerability in break_long_headers template filter by ch4n3-yoon · Pull Request #9435 · encode/django-rest-framework (original) (raw)

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Conversation3 Commits1 Checks7 Files changed

Conversation

This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.Learn more about bidirectional Unicode characters

[ Show hidden characters]({{ revealButtonHref }})

ch4n3-yoon

Description

The header input is now properly escaped before splitting and joining with <br> tags. This prevents potential XSS attacks if the header contains unsanitized user input.

This pull request addresses a potential XSS vulnerability in the break_long_headers template filter. By escaping the header input before processing, the risk of XSS attacks is mitigated.

@ch4n3-yoon

The header input is now properly escaped before splitting and joining with
tags. This prevents potential XSS attacks if the header contains unsanitized user input.

browniebroke

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Probably deserves a test

@tomchristie

@browniebroke Let's prioritise getting this sorted, rather than waiting on a test case.

I'd marginally prefer #9438 over this, since the line break isn't actually required however we should just go with whatever gets this resolved as quickly as possible at this point.

tomchristie

@ch4n3-yoon

I've identified a potential XSS vulnerability related to the break_long_headers template filter used in the rest_framework/base.html template file by APIView. This file employs the break_long_headers template filter, making the following code vulnerable to XSS attacks due to unsanitized user input:

views.py

from rest_framework.views import APIView from rest_framework.response import Response

class Index(APIView): def get(self, request): username = request.GET.get('username', '')

    response = Response('OK')
    response['Location'] = f'https://x.com/{username}'
    return response

urls.py

from django.urls import path urlpatterns = [ path('api/', Index.as_view()), ]

I believe it is essential to register this issue as a CVE to ensure that users of earlier versions of DRF are aware and can manage this vulnerability appropriately. Your thoughts on this?

@ch4n3-yoon ch4n3-yoon deleted the fix/break_long_headers-filter branch

June 14, 2024 10:12

FraCata00 pushed a commit to FraCata00/django-rest-framework that referenced this pull request

Jun 20, 2024

tomchristie pushed a commit that referenced this pull request

Jun 27, 2024

@FraCata00

…9444)

Co-authored-by: Francesco francesco.cataldo@spinforward.it

vladislav1010 pushed a commit to vladislav1010/django-rest-framework that referenced this pull request

Jul 5, 2024