Added a warning to the urljoin docs, indicating that it is not safe to use with attacker controlled URLs (GH-126659)

This was flagged to me at a party today by someone who works in red-teaming as a frequently encountered footgun. Documenting the potentially unexpected behavior seemed like a good place to start.
This commit is contained in:
Alex Gaynor 2024-11-15 18:09:05 -05:00 committed by GitHub
parent 94a7a4e22f
commit d6bcc154e9
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 9 additions and 0 deletions

View File

@ -407,6 +407,15 @@ or on combining URL components into a URL string.
If you do not want that behavior, preprocess the *url* with :func:`urlsplit` and
:func:`urlunsplit`, removing possible *scheme* and *netloc* parts.
.. warning::
Because an absolute URL may be passed as the ``url`` parameter, it is
generally **not secure** to use ``urljoin`` with an attacker-controlled
``url``. For example in,
``urljoin("https://website.com/users/", username)``, if ``username`` can
contain an absolute URL, the result of ``urljoin`` will be the absolute
URL.
.. versionchanged:: 3.5