mirror of
https://github.com/django/django.git
synced 2025-10-23 21:59:11 +00:00
Fixed #29525 -- Allowed is_safe_url()'s allowed_hosts arg to be a string.
This commit is contained in:
committed by
Tim Graham
parent
b5dd6ef3d5
commit
d22b90b4ea
1
AUTHORS
1
AUTHORS
@@ -678,6 +678,7 @@ answer newbie questions, and generally made Django that much better:
|
|||||||
Preston Holmes <preston@ptone.com>
|
Preston Holmes <preston@ptone.com>
|
||||||
Preston Timmons <prestontimmons@gmail.com>
|
Preston Timmons <prestontimmons@gmail.com>
|
||||||
Priyansh Saxena <askpriyansh@gmail.com>
|
Priyansh Saxena <askpriyansh@gmail.com>
|
||||||
|
Przemysław Suliga <http://suligap.net>
|
||||||
Rachel Tobin <rmtobin@me.com>
|
Rachel Tobin <rmtobin@me.com>
|
||||||
Rachel Willmer <http://www.willmer.com/kb/>
|
Rachel Willmer <http://www.willmer.com/kb/>
|
||||||
Radek Švarz <http://www.svarz.cz/translate/>
|
Radek Švarz <http://www.svarz.cz/translate/>
|
||||||
|
@@ -298,6 +298,8 @@ def is_safe_url(url, allowed_hosts, require_https=False):
|
|||||||
return False
|
return False
|
||||||
if allowed_hosts is None:
|
if allowed_hosts is None:
|
||||||
allowed_hosts = set()
|
allowed_hosts = set()
|
||||||
|
elif isinstance(allowed_hosts, str):
|
||||||
|
allowed_hosts = {allowed_hosts}
|
||||||
# Chrome treats \ completely as / in paths but it could be part of some
|
# Chrome treats \ completely as / in paths but it could be part of some
|
||||||
# basic auth credentials so we need to check both URLs.
|
# basic auth credentials so we need to check both URLs.
|
||||||
return (_is_safe_url(url, allowed_hosts, require_https=require_https) and
|
return (_is_safe_url(url, allowed_hosts, require_https=require_https) and
|
||||||
|
@@ -165,6 +165,10 @@ class IsSafeURLTests(unittest.TestCase):
|
|||||||
# Basic auth without host is not allowed.
|
# Basic auth without host is not allowed.
|
||||||
self.assertIs(is_safe_url(r'http://testserver\@example.com', allowed_hosts=None), False)
|
self.assertIs(is_safe_url(r'http://testserver\@example.com', allowed_hosts=None), False)
|
||||||
|
|
||||||
|
def test_allowed_hosts_str(self):
|
||||||
|
self.assertIs(is_safe_url('http://good.com/good', allowed_hosts='good.com'), True)
|
||||||
|
self.assertIs(is_safe_url('http://good.co/evil', allowed_hosts='good.com'), False)
|
||||||
|
|
||||||
def test_secure_param_https_urls(self):
|
def test_secure_param_https_urls(self):
|
||||||
secure_urls = (
|
secure_urls = (
|
||||||
'https://example.com/p',
|
'https://example.com/p',
|
||||||
|
Reference in New Issue
Block a user