Skip to content

Commit

Permalink
Fix SSRF: do not use urljoin, quote uuids
Browse files Browse the repository at this point in the history
  • Loading branch information
bhelx committed Nov 9, 2017
1 parent fabd88e commit 1af0c48
Showing 1 changed file with 5 additions and 4 deletions.
9 changes: 5 additions & 4 deletions recurly/resource.py
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@
import recurly.errors
from recurly.link_header import parse_link_value
from six.moves import http_client
from six.moves.urllib.parse import urlencode, urljoin, urlsplit
from six.moves.urllib.parse import urlencode, urlsplit, quote


class Money(object):
Expand Down Expand Up @@ -342,7 +342,8 @@ def get(cls, uuid):
can be directly requested with this method.
"""
url = urljoin(recurly.base_uri(), cls.member_path % (uuid,))
uuid = quote(str(uuid))
url = recurly.base_uri() + (cls.member_path % (uuid,))
resp, elem = cls.element_for_url(url)
return cls.from_element(elem)

Expand Down Expand Up @@ -601,7 +602,7 @@ def all(cls, **kwargs):
parameters.
"""
url = urljoin(recurly.base_uri(), cls.collection_path)
url = recurly.base_uri() + cls.collection_path
if kwargs:
url = '%s?%s' % (url, urlencode(kwargs))
return Page.page_for_url(url)
Expand All @@ -623,7 +624,7 @@ def _update(self):
return self.put(self._url)

def _create(self):
url = urljoin(recurly.base_uri(), self.collection_path)
url = recurly.base_uri() + self.collection_path
return self.post(url)

def put(self, url):
Expand Down

0 comments on commit 1af0c48

Please sign in to comment.