From: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com> Date: Fri, 15 Nov 2024 23:15:27 +0000 (+0100) Subject: [3.13] Added a warning to the urljoin docs, indicating that it is not safe to use... X-Git-Tag: v3.13.1~98 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=c8962104f2c8502b9a6b8a5e0f6603916852c13f;p=thirdparty%2FPython%2Fcpython.git [3.13] Added a warning to the urljoin docs, indicating that it is not safe to use with attacker controlled URLs (GH-126659) (#126888) Added a warning to the urljoin docs, indicating that it is not safe to use with attacker controlled URLs (GH-126659) This was flagged to me at a party today by someone who works in red-teaming as a frequently encountered footgun. Documenting the potentially unexpected behavior seemed like a good place to start. (cherry picked from commit d6bcc154e93a0a20ab97187d3e8b726fffb14f8f) Co-authored-by: Alex Gaynor --- diff --git a/Doc/library/urllib.parse.rst b/Doc/library/urllib.parse.rst index fb5353e1895b..69daa381013a 100644 --- a/Doc/library/urllib.parse.rst +++ b/Doc/library/urllib.parse.rst @@ -403,6 +403,15 @@ or on combining URL components into a URL string. If you do not want that behavior, preprocess the *url* with :func:`urlsplit` and :func:`urlunsplit`, removing possible *scheme* and *netloc* parts. + .. warning:: + + Because an absolute URL may be passed as the ``url`` parameter, it is + generally **not secure** to use ``urljoin`` with an attacker-controlled + ``url``. For example in, + ``urljoin("https://website.com/users/", username)``, if ``username`` can + contain an absolute URL, the result of ``urljoin`` will be the absolute + URL. + .. versionchanged:: 3.5