Loading django/utils/http.py +2 −0 Original line number Diff line number Diff line Loading @@ -277,6 +277,8 @@ def is_safe_url(url, host=None): url = url.strip() if not url: return False if six.PY2: url = force_text(url, errors='replace') # Chrome treats \ completely as / in paths but it could be part of some # basic auth credentials so we need to check both URLs. return _is_safe_url(url, host) and _is_safe_url(url.replace('\\', '/'), host) Loading docs/releases/1.8.11.txt +3 −7 Original line number Diff line number Diff line Loading @@ -2,11 +2,7 @@ Django 1.8.11 release notes =========================== *Under development* *March 4, 2016* Django 1.8.11 fixes several bugs in 1.8.10. Bugfixes ======== * ... Django 1.8.11 fixes a regression on Python 2 in the 1.8.10 security release where ``utils.http.is_safe_url()`` crashes on bytestring URLs (:ticket:`26308`). tests/utils_tests/test_http.py +12 −0 Original line number Diff line number Diff line # -*- encoding: utf-8 -*- from __future__ import unicode_literals import sys Loading Loading @@ -134,6 +135,17 @@ class TestUtilsHttp(unittest.TestCase): 'http://testserver/confirm?email=me@example.com', '/url%20with%20spaces/'): self.assertTrue(http.is_safe_url(good_url, host='testserver'), "%s should be allowed" % good_url) if six.PY2: # Check binary URLs, regression tests for #26308 self.assertTrue( http.is_safe_url(b'https://testserver/', host='testserver'), "binary URLs should be allowed on Python 2" ) self.assertFalse(http.is_safe_url(b'\x08//example.com', host='testserver')) self.assertTrue(http.is_safe_url('àview/'.encode('utf-8'), host='testserver')) self.assertTrue(http.is_safe_url('àview'.encode('latin-1'), host='testserver')) # Valid basic auth credentials are allowed. self.assertTrue(http.is_safe_url(r'http://user:pass@testserver/', host='user:pass@testserver')) # A path without host is allowed. Loading Loading
django/utils/http.py +2 −0 Original line number Diff line number Diff line Loading @@ -277,6 +277,8 @@ def is_safe_url(url, host=None): url = url.strip() if not url: return False if six.PY2: url = force_text(url, errors='replace') # Chrome treats \ completely as / in paths but it could be part of some # basic auth credentials so we need to check both URLs. return _is_safe_url(url, host) and _is_safe_url(url.replace('\\', '/'), host) Loading
docs/releases/1.8.11.txt +3 −7 Original line number Diff line number Diff line Loading @@ -2,11 +2,7 @@ Django 1.8.11 release notes =========================== *Under development* *March 4, 2016* Django 1.8.11 fixes several bugs in 1.8.10. Bugfixes ======== * ... Django 1.8.11 fixes a regression on Python 2 in the 1.8.10 security release where ``utils.http.is_safe_url()`` crashes on bytestring URLs (:ticket:`26308`).
tests/utils_tests/test_http.py +12 −0 Original line number Diff line number Diff line # -*- encoding: utf-8 -*- from __future__ import unicode_literals import sys Loading Loading @@ -134,6 +135,17 @@ class TestUtilsHttp(unittest.TestCase): 'http://testserver/confirm?email=me@example.com', '/url%20with%20spaces/'): self.assertTrue(http.is_safe_url(good_url, host='testserver'), "%s should be allowed" % good_url) if six.PY2: # Check binary URLs, regression tests for #26308 self.assertTrue( http.is_safe_url(b'https://testserver/', host='testserver'), "binary URLs should be allowed on Python 2" ) self.assertFalse(http.is_safe_url(b'\x08//example.com', host='testserver')) self.assertTrue(http.is_safe_url('àview/'.encode('utf-8'), host='testserver')) self.assertTrue(http.is_safe_url('àview'.encode('latin-1'), host='testserver')) # Valid basic auth credentials are allowed. self.assertTrue(http.is_safe_url(r'http://user:pass@testserver/', host='user:pass@testserver')) # A path without host is allowed. Loading
