1
0
mirror of https://github.com/django/django.git synced 2024-12-22 17:16:24 +00:00

Fixed #26308 -- Prevented crash with binary URLs in is_safe_url()

This fixes a regression introduced by c5544d2892.
Thanks John Eskew for the reporti and Tim Graham for the review.
This commit is contained in:
Claude Paroz 2016-03-04 15:41:52 +01:00
parent cecbf1bdef
commit ada7a4aefb
4 changed files with 20 additions and 14 deletions

View File

@ -290,6 +290,8 @@ def is_safe_url(url, host=None):
url = url.strip() url = url.strip()
if not url: if not url:
return False return False
if six.PY2:
url = force_text(url, errors='replace')
# Chrome treats \ completely as / in paths but it could be part of some # Chrome treats \ completely as / in paths but it could be part of some
# basic auth credentials so we need to check both URLs. # basic auth credentials so we need to check both URLs.
return _is_safe_url(url, host) and _is_safe_url(url.replace('\\', '/'), host) return _is_safe_url(url, host) and _is_safe_url(url.replace('\\', '/'), host)

View File

@ -2,11 +2,7 @@
Django 1.8.11 release notes Django 1.8.11 release notes
=========================== ===========================
*Under development* *March 4, 2016*
Django 1.8.11 fixes several bugs in 1.8.10. Django 1.8.11 fixes a regression on Python 2 in the 1.8.10 security release
where ``utils.http.is_safe_url()`` crashes on bytestring URLs (:ticket:`26308`).
Bugfixes
========
* ...

View File

@ -2,11 +2,7 @@
Django 1.9.4 release notes Django 1.9.4 release notes
========================== ==========================
*Under development* *March 4, 2016*
Django 1.9.4 fixes several bugs in 1.9.3. Django 1.9.4 fixes a regression on Python 2 in the 1.9.3 security release
where ``utils.http.is_safe_url()`` crashes on bytestring URLs (:ticket:`26308`).
Bugfixes
========
* ...

View File

@ -1,3 +1,4 @@
# -*- encoding: utf-8 -*-
from __future__ import unicode_literals from __future__ import unicode_literals
import sys import sys
@ -114,6 +115,17 @@ class TestUtilsHttp(unittest.TestCase):
'http://testserver/confirm?email=me@example.com', 'http://testserver/confirm?email=me@example.com',
'/url%20with%20spaces/'): '/url%20with%20spaces/'):
self.assertTrue(http.is_safe_url(good_url, host='testserver'), "%s should be allowed" % good_url) self.assertTrue(http.is_safe_url(good_url, host='testserver'), "%s should be allowed" % good_url)
if six.PY2:
# Check binary URLs, regression tests for #26308
self.assertTrue(
http.is_safe_url(b'https://testserver/', host='testserver'),
"binary URLs should be allowed on Python 2"
)
self.assertFalse(http.is_safe_url(b'\x08//example.com', host='testserver'))
self.assertTrue(http.is_safe_url('àview/'.encode('utf-8'), host='testserver'))
self.assertTrue(http.is_safe_url('àview'.encode('latin-1'), host='testserver'))
# Valid basic auth credentials are allowed. # Valid basic auth credentials are allowed.
self.assertTrue(http.is_safe_url(r'http://user:pass@testserver/', host='user:pass@testserver')) self.assertTrue(http.is_safe_url(r'http://user:pass@testserver/', host='user:pass@testserver'))
# A path without host is allowed. # A path without host is allowed.