mirror of
				https://github.com/django/django.git
				synced 2025-10-25 06:36:07 +00:00 
			
		
		
		
	Fixed #26308 -- Prevented crash with binary URLs in is_safe_url()
This fixes a regression introduced by c5544d2892.
Thanks John Eskew for the reporti and Tim Graham for the review.
			
			
This commit is contained in:
		| @@ -290,6 +290,8 @@ def is_safe_url(url, host=None): | |||||||
|         url = url.strip() |         url = url.strip() | ||||||
|     if not url: |     if not url: | ||||||
|         return False |         return False | ||||||
|  |     if six.PY2: | ||||||
|  |         url = force_text(url, errors='replace') | ||||||
|     # Chrome treats \ completely as / in paths but it could be part of some |     # Chrome treats \ completely as / in paths but it could be part of some | ||||||
|     # basic auth credentials so we need to check both URLs. |     # basic auth credentials so we need to check both URLs. | ||||||
|     return _is_safe_url(url, host) and _is_safe_url(url.replace('\\', '/'), host) |     return _is_safe_url(url, host) and _is_safe_url(url.replace('\\', '/'), host) | ||||||
|   | |||||||
| @@ -2,11 +2,7 @@ | |||||||
| Django 1.8.11 release notes | Django 1.8.11 release notes | ||||||
| =========================== | =========================== | ||||||
|  |  | ||||||
| *Under development* | *March 4, 2016* | ||||||
|  |  | ||||||
| Django 1.8.11 fixes several bugs in 1.8.10. | Django 1.8.11 fixes a regression on Python 2 in the 1.8.10 security release | ||||||
|  | where ``utils.http.is_safe_url()`` crashes on bytestring URLs (:ticket:`26308`). | ||||||
| Bugfixes |  | ||||||
| ======== |  | ||||||
|  |  | ||||||
| * ... |  | ||||||
|   | |||||||
| @@ -2,11 +2,7 @@ | |||||||
| Django 1.9.4 release notes | Django 1.9.4 release notes | ||||||
| ========================== | ========================== | ||||||
|  |  | ||||||
| *Under development* | *March 4, 2016* | ||||||
|  |  | ||||||
| Django 1.9.4 fixes several bugs in 1.9.3. | Django 1.9.4 fixes a regression on Python 2 in the 1.9.3 security release | ||||||
|  | where ``utils.http.is_safe_url()`` crashes on bytestring URLs (:ticket:`26308`). | ||||||
| Bugfixes |  | ||||||
| ======== |  | ||||||
|  |  | ||||||
| * ... |  | ||||||
|   | |||||||
| @@ -1,3 +1,4 @@ | |||||||
|  | # -*- encoding: utf-8 -*- | ||||||
| from __future__ import unicode_literals | from __future__ import unicode_literals | ||||||
|  |  | ||||||
| import sys | import sys | ||||||
| @@ -114,6 +115,17 @@ class TestUtilsHttp(unittest.TestCase): | |||||||
|                      'http://testserver/confirm?email=me@example.com', |                      'http://testserver/confirm?email=me@example.com', | ||||||
|                      '/url%20with%20spaces/'): |                      '/url%20with%20spaces/'): | ||||||
|             self.assertTrue(http.is_safe_url(good_url, host='testserver'), "%s should be allowed" % good_url) |             self.assertTrue(http.is_safe_url(good_url, host='testserver'), "%s should be allowed" % good_url) | ||||||
|  |  | ||||||
|  |         if six.PY2: | ||||||
|  |             # Check binary URLs, regression tests for #26308 | ||||||
|  |             self.assertTrue( | ||||||
|  |                 http.is_safe_url(b'https://testserver/', host='testserver'), | ||||||
|  |                 "binary URLs should be allowed on Python 2" | ||||||
|  |             ) | ||||||
|  |             self.assertFalse(http.is_safe_url(b'\x08//example.com', host='testserver')) | ||||||
|  |             self.assertTrue(http.is_safe_url('àview/'.encode('utf-8'), host='testserver')) | ||||||
|  |             self.assertTrue(http.is_safe_url('àview'.encode('latin-1'), host='testserver')) | ||||||
|  |  | ||||||
|         # Valid basic auth credentials are allowed. |         # Valid basic auth credentials are allowed. | ||||||
|         self.assertTrue(http.is_safe_url(r'http://user:pass@testserver/', host='user:pass@testserver')) |         self.assertTrue(http.is_safe_url(r'http://user:pass@testserver/', host='user:pass@testserver')) | ||||||
|         # A path without host is allowed. |         # A path without host is allowed. | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user