mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-10-31 09:41:08 +00:00
Code Issues 32 Releases Wiki Activity

[1.7.x] Fixed is_safe_url() to handle leading whitespace.

Browse Source 
This is a security fix. Disclosure following shortly.
This commit is contained in:
Tim Graham
2014-12-03 16:14:00 -05:00
parent 41b4bc73ee
commit de67dedc77
5 changed files with 45 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
django/utils/http.py
View File

@@ -272,6 +272,7 @@ def is_safe_url(url, host=None):
"""
if not url:
return False
url = url.strip()
# Chrome treats \ completely as /
url = url.replace('\\', '/')
# Chrome considers any URL with more than two slashes to be absolute, but