1
0
mirror of https://github.com/django/django.git synced 2024-12-22 09:05:43 +00:00

Added safety to URL decoding in is_safe_url() on Python 2

The errors='replace' parameter to force_text altered the URL before checking
it, which wasn't considered sane. Refs 24fc935218 and ada7a4aef.
This commit is contained in:
Claude Paroz 2016-03-04 23:33:35 +01:00
parent ada7a4aefb
commit 552f03869e
4 changed files with 7 additions and 4 deletions

View File

@ -291,7 +291,10 @@ def is_safe_url(url, host=None):
if not url:
return False
if six.PY2:
url = force_text(url, errors='replace')
try:
url = force_text(url)
except UnicodeDecodeError:
return False
# Chrome treats \ completely as / in paths but it could be part of some
# basic auth credentials so we need to check both URLs.
return _is_safe_url(url, host) and _is_safe_url(url.replace('\\', '/'), host)

View File

@ -2,7 +2,7 @@
Django 1.8.11 release notes
===========================
*March 4, 2016*
*March 5, 2016*
Django 1.8.11 fixes a regression on Python 2 in the 1.8.10 security release
where ``utils.http.is_safe_url()`` crashes on bytestring URLs (:ticket:`26308`).

View File

@ -2,7 +2,7 @@
Django 1.9.4 release notes
==========================
*March 4, 2016*
*March 5, 2016*
Django 1.9.4 fixes a regression on Python 2 in the 1.9.3 security release
where ``utils.http.is_safe_url()`` crashes on bytestring URLs (:ticket:`26308`).

View File

@ -124,7 +124,7 @@ class TestUtilsHttp(unittest.TestCase):
)
self.assertFalse(http.is_safe_url(b'\x08//example.com', host='testserver'))
self.assertTrue(http.is_safe_url('àview/'.encode('utf-8'), host='testserver'))
self.assertTrue(http.is_safe_url('àview'.encode('latin-1'), host='testserver'))
self.assertFalse(http.is_safe_url('àview'.encode('latin-1'), host='testserver'))
# Valid basic auth credentials are allowed.
self.assertTrue(http.is_safe_url(r'http://user:pass@testserver/', host='user:pass@testserver'))