[1.7.x] Prevented reverse() from generating URLs pointing to other hosts.

                candidate_pat = prefix_norm.replace('%', '%%') + result

                if re.search('^%s%s' % (prefix_norm, pattern), candidate_pat % candidate_subs, re.UNICODE):

                    candidate_subs = dict((k, urlquote(v)) for (k, v) in candidate_subs.items())

                    return candidate_pat % candidate_subs

                    url = candidate_pat % candidate_subs

                    # Don't allow construction of scheme relative urls.

                    if url.startswith('//'):

                        url = '/%%2F%s' % url[2:]

                    return url

        # lookup_view can be URL label, or dotted path, or callable, Any of

        # these can be passed in at the top, but callables are not friendly in

        # error messages.

*Under development*

Django 1.4.14 fixes several security issues in 1.4.13.

:func:`~django.core.urlresolvers.reverse()` could generate URLs pointing to other hosts

=======================================================================================

In certain situations, URL reversing could generate scheme-relative URLs  (URLs

starting with two slashes), which could unexpectedly redirect a user  to a

different host. An attacker could exploit this, for example, by redirecting

users to a phishing site designed to ask for user's passwords.

To remedy this, URL reversing now ensures that no URL starts with two slashes

(//), replacing the second slash with its URL encoded counterpart (%2F). This

approach ensures that semantics stay the same, while making the URL relative to

the domain and not to the scheme.

*Under development*

Django 1.5.9 fixes several security issues in 1.5.8.

:func:`~django.core.urlresolvers.reverse()` could generate URLs pointing to other hosts

=======================================================================================

In certain situations, URL reversing could generate scheme-relative URLs  (URLs

starting with two slashes), which could unexpectedly redirect a user  to a

different host. An attacker could exploit this, for example, by redirecting

users to a phishing site designed to ask for user's passwords.

To remedy this, URL reversing now ensures that no URL starts with two slashes

(//), replacing the second slash with its URL encoded counterpart (%2F). This

approach ensures that semantics stay the same, while making the URL relative to

the domain and not to the scheme.

Django 1.6.6 fixes several security issues and bugs in 1.6.5.

:func:`~django.core.urlresolvers.reverse()` could generate URLs pointing to other hosts

=======================================================================================

In certain situations, URL reversing could generate scheme-relative URLs  (URLs

starting with two slashes), which could unexpectedly redirect a user  to a

different host. An attacker could exploit this, for example, by redirecting

users to a phishing site designed to ask for user's passwords.

To remedy this, URL reversing now ensures that no URL starts with two slashes

(//), replacing the second slash with its URL encoded counterpart (%2F). This

approach ensures that semantics stay the same, while making the URL relative to

the domain and not to the scheme.

Bugfixes

========

    ('defaults', '/defaults_view2/3/', [], {'arg1': 3, 'arg2': 2}),

    ('defaults', NoReverseMatch, [], {'arg1': 3, 'arg2': 3}),

    ('defaults', NoReverseMatch, [], {'arg2': 1}),

    # Security tests

    ('security', '/%2Fexample.com/security/', ['/example.com'], {}),

)