[1.6.x] Prevented reverse() from generating URLs pointing to other hosts.

This is a security fix. Disclosure following shortly.
2025-10-31 09:41:08 +00:00 · 2014-07-17 21:59:28 +02:00
parent 52b878d805
commit da051da8df
6 changed files with 50 additions and 1 deletions
--- a/tests/urlpatterns_reverse/tests.py
+++ b/tests/urlpatterns_reverse/tests.py
@@ -147,6 +147,9 @@ test_data = (
    ('defaults', '/defaults_view2/3/', [], {'arg1': 3, 'arg2': 2}),
    ('defaults', NoReverseMatch, [], {'arg1': 3, 'arg2': 3}),
    ('defaults', NoReverseMatch, [], {'arg2': 1}),
+
+    # Security tests
+    ('security', '/%2Fexample.com/security/', ['/example.com'], {}),
 )

 class NoURLPatternsTests(TestCase):
--- a/tests/urlpatterns_reverse/urls.py
+++ b/tests/urlpatterns_reverse/urls.py
@@ -71,4 +71,7 @@ urlpatterns = patterns('',
    (r'defaults_view2/(?P<arg1>\d+)/', 'defaults_view', {'arg2': 2}, 'defaults'),

    url('^includes/', include(other_patterns)),
+
+    # Security tests
+    url('(.+)/security/$', empty_view, name='security'),
 )