mirror of https://github.com/django/django.git
Fixed #26308 -- Prevented crash with binary URLs in is_safe_url()
This fixes a regression introduced by c5544d2892
.
Thanks John Eskew for the reporti and Tim Graham for the review.
This commit is contained in:
parent
cecbf1bdef
commit
ada7a4aefb
|
@ -290,6 +290,8 @@ def is_safe_url(url, host=None):
|
||||||
url = url.strip()
|
url = url.strip()
|
||||||
if not url:
|
if not url:
|
||||||
return False
|
return False
|
||||||
|
if six.PY2:
|
||||||
|
url = force_text(url, errors='replace')
|
||||||
# Chrome treats \ completely as / in paths but it could be part of some
|
# Chrome treats \ completely as / in paths but it could be part of some
|
||||||
# basic auth credentials so we need to check both URLs.
|
# basic auth credentials so we need to check both URLs.
|
||||||
return _is_safe_url(url, host) and _is_safe_url(url.replace('\\', '/'), host)
|
return _is_safe_url(url, host) and _is_safe_url(url.replace('\\', '/'), host)
|
||||||
|
|
|
@ -2,11 +2,7 @@
|
||||||
Django 1.8.11 release notes
|
Django 1.8.11 release notes
|
||||||
===========================
|
===========================
|
||||||
|
|
||||||
*Under development*
|
*March 4, 2016*
|
||||||
|
|
||||||
Django 1.8.11 fixes several bugs in 1.8.10.
|
Django 1.8.11 fixes a regression on Python 2 in the 1.8.10 security release
|
||||||
|
where ``utils.http.is_safe_url()`` crashes on bytestring URLs (:ticket:`26308`).
|
||||||
Bugfixes
|
|
||||||
========
|
|
||||||
|
|
||||||
* ...
|
|
||||||
|
|
|
@ -2,11 +2,7 @@
|
||||||
Django 1.9.4 release notes
|
Django 1.9.4 release notes
|
||||||
==========================
|
==========================
|
||||||
|
|
||||||
*Under development*
|
*March 4, 2016*
|
||||||
|
|
||||||
Django 1.9.4 fixes several bugs in 1.9.3.
|
Django 1.9.4 fixes a regression on Python 2 in the 1.9.3 security release
|
||||||
|
where ``utils.http.is_safe_url()`` crashes on bytestring URLs (:ticket:`26308`).
|
||||||
Bugfixes
|
|
||||||
========
|
|
||||||
|
|
||||||
* ...
|
|
||||||
|
|
|
@ -1,3 +1,4 @@
|
||||||
|
# -*- encoding: utf-8 -*-
|
||||||
from __future__ import unicode_literals
|
from __future__ import unicode_literals
|
||||||
|
|
||||||
import sys
|
import sys
|
||||||
|
@ -114,6 +115,17 @@ class TestUtilsHttp(unittest.TestCase):
|
||||||
'http://testserver/confirm?email=me@example.com',
|
'http://testserver/confirm?email=me@example.com',
|
||||||
'/url%20with%20spaces/'):
|
'/url%20with%20spaces/'):
|
||||||
self.assertTrue(http.is_safe_url(good_url, host='testserver'), "%s should be allowed" % good_url)
|
self.assertTrue(http.is_safe_url(good_url, host='testserver'), "%s should be allowed" % good_url)
|
||||||
|
|
||||||
|
if six.PY2:
|
||||||
|
# Check binary URLs, regression tests for #26308
|
||||||
|
self.assertTrue(
|
||||||
|
http.is_safe_url(b'https://testserver/', host='testserver'),
|
||||||
|
"binary URLs should be allowed on Python 2"
|
||||||
|
)
|
||||||
|
self.assertFalse(http.is_safe_url(b'\x08//example.com', host='testserver'))
|
||||||
|
self.assertTrue(http.is_safe_url('àview/'.encode('utf-8'), host='testserver'))
|
||||||
|
self.assertTrue(http.is_safe_url('àview'.encode('latin-1'), host='testserver'))
|
||||||
|
|
||||||
# Valid basic auth credentials are allowed.
|
# Valid basic auth credentials are allowed.
|
||||||
self.assertTrue(http.is_safe_url(r'http://user:pass@testserver/', host='user:pass@testserver'))
|
self.assertTrue(http.is_safe_url(r'http://user:pass@testserver/', host='user:pass@testserver'))
|
||||||
# A path without host is allowed.
|
# A path without host is allowed.
|
||||||
|
|
Loading…
Reference in New Issue