mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-10-24 06:06:09 +00:00
Code Issues 32 Releases Wiki Activity

Updated vendored _urlsplit() to strip newline and tabs.

Browse Source 
Refs Python CVE-2022-0391. Django is not affected, but others who
incorrectly use internal function url_has_allowed_host_and_scheme()
with unsanitized input could be at risk.
This commit is contained in:
Michael Manfre
2022-06-29 20:39:51 -04:00
committed by Mariusz Felisiak
parent 5c93a84f44
commit 03eec9ff6c
3 changed files with 25 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
tests/utils_tests/test_http.py
View File

@@ -177,6 +177,7 @@ class URLHasAllowedHostAndSchemeTests(unittest.TestCase):
r"http:/\example.com",
'javascript:alert("XSS")',
"\njavascript:alert(x)",
"java\nscript:alert(x)",
"\x08//example.com",
r"http://otherserver\@example.com",
r"http:\\testserver\@example.com",