1
0
mirror of https://github.com/django/django.git synced 2025-10-25 06:36:07 +00:00

[1.8.x] Fixed #24321 -- Improved utils.http.same_origin compliance with RFC6454

Backport of 93b3ef9b2e from master.
This commit is contained in:
Lukas Klein
2015-02-11 11:09:51 +01:00
committed by Claude Paroz
parent a6ea62aeaf
commit 1904022f91
2 changed files with 15 additions and 2 deletions

View File

@@ -33,6 +33,11 @@ ASCTIME_DATE = re.compile(r'^\w{3} %s %s %s %s$' % (__M, __D2, __T, __Y))
RFC3986_GENDELIMS = str(":/?#[]@") RFC3986_GENDELIMS = str(":/?#[]@")
RFC3986_SUBDELIMS = str("!$&'()*+,;=") RFC3986_SUBDELIMS = str("!$&'()*+,;=")
PROTOCOL_TO_PORT = {
'http': 80,
'https': 443,
}
def urlquote(url, safe='/'): def urlquote(url, safe='/'):
""" """
@@ -253,8 +258,10 @@ def same_origin(url1, url2):
""" """
p1, p2 = urlparse(url1), urlparse(url2) p1, p2 = urlparse(url1), urlparse(url2)
try: try:
return (p1.scheme, p1.hostname, p1.port) == (p2.scheme, p2.hostname, p2.port) o1 = (p1.scheme, p1.hostname, p1.port or PROTOCOL_TO_PORT[p1.scheme])
except ValueError: o2 = (p2.scheme, p2.hostname, p2.port or PROTOCOL_TO_PORT[p2.scheme])
return o1 == o2
except (ValueError, KeyError):
return False return False

View File

@@ -18,6 +18,9 @@ class TestUtilsHttp(unittest.TestCase):
self.assertTrue(http.same_origin('http://foo.com/', 'http://foo.com')) self.assertTrue(http.same_origin('http://foo.com/', 'http://foo.com'))
# With port # With port
self.assertTrue(http.same_origin('https://foo.com:8000', 'https://foo.com:8000/')) self.assertTrue(http.same_origin('https://foo.com:8000', 'https://foo.com:8000/'))
# No port given but according to RFC6454 still the same origin
self.assertTrue(http.same_origin('http://foo.com', 'http://foo.com:80/'))
self.assertTrue(http.same_origin('https://foo.com', 'https://foo.com:443/'))
def test_same_origin_false(self): def test_same_origin_false(self):
# Different scheme # Different scheme
@@ -28,6 +31,9 @@ class TestUtilsHttp(unittest.TestCase):
self.assertFalse(http.same_origin('http://foo.com', 'http://foo.com.evil.com')) self.assertFalse(http.same_origin('http://foo.com', 'http://foo.com.evil.com'))
# Different port # Different port
self.assertFalse(http.same_origin('http://foo.com:8000', 'http://foo.com:8001')) self.assertFalse(http.same_origin('http://foo.com:8000', 'http://foo.com:8001'))
# No port given
self.assertFalse(http.same_origin('http://foo.com', 'http://foo.com:8000/'))
self.assertFalse(http.same_origin('https://foo.com', 'https://foo.com:8000/'))
def test_urlencode(self): def test_urlencode(self):
# 2-tuples (the norm) # 2-tuples (the norm)