Fix SSRF: do not use urljoin, quote uuids

recurly · Nov 9, 2017 · 94d08c9 · 94d08c9
1 parent 9836471
commit 94d08c9
Showing 1 changed file with 5 additions and 4 deletions.
diff --git a/recurly/resource.py b/recurly/resource.py
@@ -13,7 +13,7 @@
 import recurly.errors
 from recurly.link_header import parse_link_value
 from six.moves import http_client
-from six.moves.urllib.parse import urlencode, urljoin, urlsplit
+from six.moves.urllib.parse import urlencode, urlsplit, quote
 
 
 if six.PY3:
@@ -345,7 +345,8 @@ def get(cls, uuid):
         can be directly requested with this method.
 
         """
-        url = urljoin(recurly.base_uri(), cls.member_path % (uuid,))
+        uuid = quote(str(uuid))
+        url = recurly.base_uri() + (cls.member_path % (uuid,))
         resp, elem = cls.element_for_url(url)
         return cls.from_element(elem)
 
@@ -594,7 +595,7 @@ def all(cls, **kwargs):
         parameters.
 
         """
-        url = urljoin(recurly.base_uri(), cls.collection_path)
+        url = recurly.base_uri() + cls.collection_path
         if kwargs:
             url = '%s?%s' % (url, urlencode(kwargs))
         return Page.page_for_url(url)
@@ -623,7 +624,7 @@ def _update(self):
         self.update_from_element(ElementTree.fromstring(response_xml))
 
     def _create(self):
-        url = urljoin(recurly.base_uri(), self.collection_path)
+        url = recurly.base_uri() + self.collection_path
         return self.post(url)
 
     def post(self, url):