[1.11.x] Fixed #27912, CVE-2017-7233 -- Fixed is_safe_url() with numeric URLs.

This is a security fix.
2025-10-31 09:41:08 +00:00 · 2017-03-14 10:46:53 -04:00
parent 001ff50808
commit 97e77b7bc1
5 changed files with 104 additions and 2 deletions
--- a/tests/utils_tests/test_http.py
+++ b/tests/utils_tests/test_http.py
@@ -106,6 +106,8 @@ class TestUtilsHttp(unittest.TestCase):
            r'http://testserver\me:pass@example.com',
            r'http://testserver\@example.com',
            r'http:\\testserver\confirm\me@example.com',
+            'http:999999999',
+            'ftp:9999999999',
            '\n',
        )
        for bad_url in bad_urls:
@@ -126,6 +128,7 @@ class TestUtilsHttp(unittest.TestCase):
            '//testserver/',
            'http://testserver/confirm?email=me@example.com',
            '/url%20with%20spaces/',
+            'path/http:2222222222',
        )
        for good_url in good_urls:
            with ignore_warnings(category=RemovedInDjango21Warning):