mirror of
				https://github.com/django/django.git
				synced 2025-10-25 06:36:07 +00:00 
			
		
		
		
	[1.8.x] Fixed #24321 -- Improved utils.http.same_origin compliance with RFC6454
				
					
				
			Backport of 93b3ef9b2e from master.
			
			
This commit is contained in:
		
				
					committed by
					
						 Claude Paroz
						Claude Paroz
					
				
			
			
				
	
			
			
			
						parent
						
							a6ea62aeaf
						
					
				
				
					commit
					1904022f91
				
			| @@ -33,6 +33,11 @@ ASCTIME_DATE = re.compile(r'^\w{3} %s %s %s %s$' % (__M, __D2, __T, __Y)) | |||||||
| RFC3986_GENDELIMS = str(":/?#[]@") | RFC3986_GENDELIMS = str(":/?#[]@") | ||||||
| RFC3986_SUBDELIMS = str("!$&'()*+,;=") | RFC3986_SUBDELIMS = str("!$&'()*+,;=") | ||||||
|  |  | ||||||
|  | PROTOCOL_TO_PORT = { | ||||||
|  |     'http': 80, | ||||||
|  |     'https': 443, | ||||||
|  | } | ||||||
|  |  | ||||||
|  |  | ||||||
| def urlquote(url, safe='/'): | def urlquote(url, safe='/'): | ||||||
|     """ |     """ | ||||||
| @@ -253,8 +258,10 @@ def same_origin(url1, url2): | |||||||
|     """ |     """ | ||||||
|     p1, p2 = urlparse(url1), urlparse(url2) |     p1, p2 = urlparse(url1), urlparse(url2) | ||||||
|     try: |     try: | ||||||
|         return (p1.scheme, p1.hostname, p1.port) == (p2.scheme, p2.hostname, p2.port) |         o1 = (p1.scheme, p1.hostname, p1.port or PROTOCOL_TO_PORT[p1.scheme]) | ||||||
|     except ValueError: |         o2 = (p2.scheme, p2.hostname, p2.port or PROTOCOL_TO_PORT[p2.scheme]) | ||||||
|  |         return o1 == o2 | ||||||
|  |     except (ValueError, KeyError): | ||||||
|         return False |         return False | ||||||
|  |  | ||||||
|  |  | ||||||
|   | |||||||
| @@ -18,6 +18,9 @@ class TestUtilsHttp(unittest.TestCase): | |||||||
|         self.assertTrue(http.same_origin('http://foo.com/', 'http://foo.com')) |         self.assertTrue(http.same_origin('http://foo.com/', 'http://foo.com')) | ||||||
|         # With port |         # With port | ||||||
|         self.assertTrue(http.same_origin('https://foo.com:8000', 'https://foo.com:8000/')) |         self.assertTrue(http.same_origin('https://foo.com:8000', 'https://foo.com:8000/')) | ||||||
|  |         # No port given but according to RFC6454 still the same origin | ||||||
|  |         self.assertTrue(http.same_origin('http://foo.com', 'http://foo.com:80/')) | ||||||
|  |         self.assertTrue(http.same_origin('https://foo.com', 'https://foo.com:443/')) | ||||||
|  |  | ||||||
|     def test_same_origin_false(self): |     def test_same_origin_false(self): | ||||||
|         # Different scheme |         # Different scheme | ||||||
| @@ -28,6 +31,9 @@ class TestUtilsHttp(unittest.TestCase): | |||||||
|         self.assertFalse(http.same_origin('http://foo.com', 'http://foo.com.evil.com')) |         self.assertFalse(http.same_origin('http://foo.com', 'http://foo.com.evil.com')) | ||||||
|         # Different port |         # Different port | ||||||
|         self.assertFalse(http.same_origin('http://foo.com:8000', 'http://foo.com:8001')) |         self.assertFalse(http.same_origin('http://foo.com:8000', 'http://foo.com:8001')) | ||||||
|  |         # No port given | ||||||
|  |         self.assertFalse(http.same_origin('http://foo.com', 'http://foo.com:8000/')) | ||||||
|  |         self.assertFalse(http.same_origin('https://foo.com', 'https://foo.com:8000/')) | ||||||
|  |  | ||||||
|     def test_urlencode(self): |     def test_urlencode(self): | ||||||
|         # 2-tuples (the norm) |         # 2-tuples (the norm) | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user