Fixed #27912, CVE-2017-7233 -- Fixed is_safe_url() with numeric URLs.

This is a security fix.
2025-10-23 21:59:11 +00:00 · 2017-03-14 10:46:53 -04:00
parent a1f948b468
commit 5ea48a70af
5 changed files with 93 additions and 3 deletions
--- a/tests/utils_tests/test_http.py
+++ b/tests/utils_tests/test_http.py
@@ -97,6 +97,8 @@ class TestUtilsHttp(unittest.TestCase):
            r'http://testserver\me:pass@example.com',
            r'http://testserver\@example.com',
            r'http:\\testserver\confirm\me@example.com',
+            'http:999999999',
+            'ftp:9999999999',
            '\n',
        )
        for bad_url in bad_urls:
@@ -117,6 +119,7 @@ class TestUtilsHttp(unittest.TestCase):
            '//testserver/',
            'http://testserver/confirm?email=me@example.com',
            '/url%20with%20spaces/',
+            'path/http:2222222222',
        )
        for good_url in good_urls:
            with ignore_warnings(category=RemovedInDjango21Warning):