Refs #26956 -- Removed the host parameter of django.utils.http.is_safe_url().

Per deprecation timeline.
2017-09-02 20:12:27 -04:00 · 2017-09-02 20:12:27 -04:00 · 96107e2844
parent e47b56d791
commit 96107e2844
3 changed files with 3 additions and 17 deletions
--- a/django/utils/http.py
+++ b/django/utils/http.py
@ -3,7 +3,6 @@ import calendar
 import datetime
 import re
 import unicodedata
-import warnings
 from binascii import Error as BinasciiError
 from email.utils import formatdate
 from urllib.parse import (
@ -14,7 +13,6 @@ from urllib.parse import (

 from django.core.exceptions import TooManyFieldsSent
 from django.utils.datastructures import MultiValueDict
-from django.utils.deprecation import RemovedInDjango21Warning
 from django.utils.encoding import force_bytes
 from django.utils.functional import keep_lazy_text

@ -264,7 +262,7 @@ def is_same_domain(host, pattern):
    )


-def is_safe_url(url, host=None, allowed_hosts=None, require_https=False):
+def is_safe_url(url, allowed_hosts=None, require_https=False):
    """
    Return ``True`` if the url is a safe redirection (i.e. it doesn't point to
    a different host and uses a safe scheme).
@ -280,14 +278,6 @@ def is_safe_url(url, host=None, allowed_hosts=None, require_https=False):
        return False
    if allowed_hosts is None:
        allowed_hosts = set()
-    if host:
-        warnings.warn(
-            "The host argument is deprecated, use allowed_hosts instead.",
-            RemovedInDjango21Warning,
-            stacklevel=2,
-        )
-        # Avoid mutating the passed in allowed_hosts.
-        allowed_hosts = allowed_hosts | {host}
    # Chrome treats \ completely as / in paths but it could be part of some
    # basic auth credentials so we need to check both URLs.
    return (_is_safe_url(url, allowed_hosts, require_https=require_https) and
--- a/docs/releases/2.1.txt
+++ b/docs/releases/2.1.txt
@ -239,3 +239,5 @@ how to remove usage of these features.

 * ``django.core.cache.backends.memcached.PyLibMCCache`` no longer supports
  passing ``pylibmc`` behavior settings as top-level attributes of ``OPTIONS``.
+
+* The ``host`` parameter of ``django.utils.http.is_safe_url()`` is removed.
--- a/tests/utils_tests/test_http.py
+++ b/tests/utils_tests/test_http.py
@ -1,10 +1,8 @@
 import unittest
 from datetime import datetime

-from django.test import ignore_warnings
 from django.utils import http
 from django.utils.datastructures import MultiValueDict
-from django.utils.deprecation import RemovedInDjango21Warning


 class TestUtilsHttp(unittest.TestCase):
@ -107,8 +105,6 @@ class TestUtilsHttp(unittest.TestCase):
            'http://2001:cdba:0000:0000:0000:0000:3257:9652]/',
        )
        for bad_url in bad_urls:
-            with ignore_warnings(category=RemovedInDjango21Warning):
-                self.assertFalse(http.is_safe_url(bad_url, host='testserver'), "%s should be blocked" % bad_url)
            self.assertFalse(
                http.is_safe_url(bad_url, allowed_hosts={'testserver', 'testserver2'}),
                "%s should be blocked" % bad_url,
@ -127,8 +123,6 @@ class TestUtilsHttp(unittest.TestCase):
            'path/http:2222222222',
        )
        for good_url in good_urls:
-            with ignore_warnings(category=RemovedInDjango21Warning):
-                self.assertTrue(http.is_safe_url(good_url, host='testserver'), "%s should be allowed" % good_url)
            self.assertTrue(
                http.is_safe_url(good_url, allowed_hosts={'otherserver', 'testserver'}),
                "%s should be allowed" % good_url,