Commit beb392b8 authored by Claude Paroz's avatar Claude Paroz
Browse files

[1.8.x] Added safety to URL decoding in is_safe_url() on Python 2 

The errors='replace' parameter to force_text altered the URL before checking
it, which wasn't considered sane. Refs 24fc9352 and ada7a4ae.
Backport of 552f0386 from master.
parent 28bed24f

django/utils/http.py

+4 −1
Original line number Diff line number Diff line
@@ -278,7 +278,10 @@ def is_safe_url(url, host=None): 
    if not url:

        return False

    if six.PY2:

        url = force_text(url, errors='replace')

        try:

            url = force_text(url)

        except UnicodeDecodeError:

            return False

    # Chrome treats \ completely as / in paths but it could be part of some

    # basic auth credentials so we need to check both URLs.

    return _is_safe_url(url, host) and _is_safe_url(url.replace('\\', '/'), host)

docs/releases/1.8.11.txt

+1 −1
Original line number Diff line number Diff line
@@ -2,7 +2,7 @@ 
Django 1.8.11 release notes

===========================



*March 4, 2016*

*March 5, 2016*



Django 1.8.11 fixes a regression on Python 2 in the 1.8.10 security release

where ``utils.http.is_safe_url()`` crashes on bytestring URLs (:ticket:`26308`).

tests/utils_tests/test_http.py

+1 −1
Original line number Diff line number Diff line
@@ -144,7 +144,7 @@ class TestUtilsHttp(unittest.TestCase): 
            )

            self.assertFalse(http.is_safe_url(b'\x08//example.com', host='testserver'))

            self.assertTrue(http.is_safe_url('àview/'.encode('utf-8'), host='testserver'))

            self.assertTrue(http.is_safe_url('àview'.encode('latin-1'), host='testserver'))

            self.assertFalse(http.is_safe_url('àview'.encode('latin-1'), host='testserver'))



        # Valid basic auth credentials are allowed.

        self.assertTrue(http.is_safe_url(r'http://user:pass@testserver/', host='user:pass@testserver'))