diff options
| author | Alex Gaynor <alex.gaynor@gmail.com> | 2024-11-15 23:09:05 (GMT) |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-11-15 23:09:05 (GMT) |
| commit | d6bcc154e93a0a20ab97187d3e8b726fffb14f8f (patch) | |
| tree | 6c1943b1e4e44e5cdfff45ecb2557a48e2445db5 /Doc | |
| parent | 94a7a4e22fb8f567090514785c69e65298acca42 (diff) | |
| download | cpython-d6bcc154e93a0a20ab97187d3e8b726fffb14f8f.zip cpython-d6bcc154e93a0a20ab97187d3e8b726fffb14f8f.tar.gz cpython-d6bcc154e93a0a20ab97187d3e8b726fffb14f8f.tar.bz2 | |
Added a warning to the urljoin docs, indicating that it is not safe to use with attacker controlled URLs (GH-126659)
This was flagged to me at a party today by someone who works in red-teaming as a frequently encountered footgun. Documenting the potentially unexpected behavior seemed like a good place to start.
Diffstat (limited to 'Doc')
| -rw-r--r-- | Doc/library/urllib.parse.rst | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/Doc/library/urllib.parse.rst b/Doc/library/urllib.parse.rst index 0501dc8..44a9c79 100644 --- a/Doc/library/urllib.parse.rst +++ b/Doc/library/urllib.parse.rst @@ -407,6 +407,15 @@ or on combining URL components into a URL string. If you do not want that behavior, preprocess the *url* with :func:`urlsplit` and :func:`urlunsplit`, removing possible *scheme* and *netloc* parts. + .. warning:: + + Because an absolute URL may be passed as the ``url`` parameter, it is + generally **not secure** to use ``urljoin`` with an attacker-controlled + ``url``. For example in, + ``urljoin("https://website.com/users/", username)``, if ``username`` can + contain an absolute URL, the result of ``urljoin`` will be the absolute + URL. + .. versionchanged:: 3.5 |