Fixed a security issue in http redirects. Disclosure and new release forthcoming.

tests/regressiontests/httpwrappers/tests.py

@@ -4,8 +4,11 @@ from __future__ import unicode_literals
 import copy
 import pickle
 
-from django.http import (QueryDict, HttpResponse, SimpleCookie, BadHeaderError,
-        parse_cookie)
+from django.core.exceptions import SuspiciousOperation
+from django.http import (QueryDict, HttpResponse, HttpResponseRedirect,
+                         HttpResponsePermanentRedirect,
+                         SimpleCookie, BadHeaderError,
+                         parse_cookie)
 from django.utils import unittest
 
 
@@ -309,6 +312,18 @@ class HttpResponseTests(unittest.TestCase):
         r = HttpResponse(['abc'])
         self.assertRaises(Exception, r.write, 'def')
 
+    def test_unsafe_redirect(self):
+        bad_urls = [
+            'data:text/html,<script>window.alert("xss")</script>',
+            'mailto:test@example.com',
+            'file:///etc/passwd',
+        ]
+        for url in bad_urls:
+            self.assertRaises(SuspiciousOperation,
+                              HttpResponseRedirect, url)
+            self.assertRaises(SuspiciousOperation,
+                              HttpResponsePermanentRedirect, url)
+
 
 class CookieTests(unittest.TestCase):
     def test_encode(self):