From beb392b85e71fdd41209d323126181d74090fecb Mon Sep 17 00:00:00 2001
From: Claude Paroz <claude@2xlibre.net>
Date: Fri, 4 Mar 2016 23:33:35 +0100
Subject: [PATCH] [1.8.x] Added safety to URL decoding in is_safe_url() on
 Python 2

The errors='replace' parameter to force_text altered the URL before checking
it, which wasn't considered sane. Refs 24fc935218 and ada7a4aef.
Backport of 552f03869e from master.
---
 django/utils/http.py           | 5 ++++-
 docs/releases/1.8.11.txt       | 2 +-
 tests/utils_tests/test_http.py | 2 +-
 3 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/django/utils/http.py b/django/utils/http.py
index 68f77fba5e..b70720d844 100644
--- a/django/utils/http.py
+++ b/django/utils/http.py
@@ -278,7 +278,10 @@ def is_safe_url(url, host=None):
     if not url:
         return False
     if six.PY2:
-        url = force_text(url, errors='replace')
+        try:
+            url = force_text(url)
+        except UnicodeDecodeError:
+            return False
     # Chrome treats \ completely as / in paths but it could be part of some
     # basic auth credentials so we need to check both URLs.
     return _is_safe_url(url, host) and _is_safe_url(url.replace('\\', '/'), host)
diff --git a/docs/releases/1.8.11.txt b/docs/releases/1.8.11.txt
index b01807129b..f33149b9e7 100644
--- a/docs/releases/1.8.11.txt
+++ b/docs/releases/1.8.11.txt
@@ -2,7 +2,7 @@
 Django 1.8.11 release notes
 ===========================
 
-*March 4, 2016*
+*March 5, 2016*
 
 Django 1.8.11 fixes a regression on Python 2 in the 1.8.10 security release
 where ``utils.http.is_safe_url()`` crashes on bytestring URLs (:ticket:`26308`).
diff --git a/tests/utils_tests/test_http.py b/tests/utils_tests/test_http.py
index 106f149515..c487d80744 100644
--- a/tests/utils_tests/test_http.py
+++ b/tests/utils_tests/test_http.py
@@ -144,7 +144,7 @@ class TestUtilsHttp(unittest.TestCase):
             )
             self.assertFalse(http.is_safe_url(b'\x08//example.com', host='testserver'))
             self.assertTrue(http.is_safe_url('àview/'.encode('utf-8'), host='testserver'))
-            self.assertTrue(http.is_safe_url('àview'.encode('latin-1'), host='testserver'))
+            self.assertFalse(http.is_safe_url('àview'.encode('latin-1'), host='testserver'))
 
         # Valid basic auth credentials are allowed.
         self.assertTrue(http.is_safe_url(r'http://user:pass@testserver/', host='user:pass@testserver'))