mirror of https://github.com/django/django.git
[1.11.x] Fixed #28142 -- Fixed is_safe_url() crash on invalid IPv6 URLs.
Backport of 856072dd4a
from master
This commit is contained in:
parent
4841fafb44
commit
03d0c05fdf
|
@ -387,7 +387,10 @@ def _is_safe_url(url, allowed_hosts, require_https=False):
|
|||
# urlparse is not so flexible. Treat any url with three slashes as unsafe.
|
||||
if url.startswith('///'):
|
||||
return False
|
||||
try:
|
||||
url_info = _urlparse(url)
|
||||
except ValueError: # e.g. invalid IPv6 addresses
|
||||
return False
|
||||
# Forbid URLs like http:///example.com - with a scheme, but without a hostname.
|
||||
# In that URL, example.com is not the hostname but, a path component. However,
|
||||
# Chrome will still consider example.com to be the hostname, so we must not
|
||||
|
|
|
@ -15,3 +15,6 @@ Bugfixes
|
|||
* Changed ``contrib.gis`` to raise ``ImproperlyConfigured`` rather than
|
||||
``GDALException`` if ``gdal`` isn't installed, to allow third-party apps to
|
||||
catch that exception (:ticket:`28178`).
|
||||
|
||||
* Fixed ``django.utils.http.is_safe_url()`` crash on invalid IPv6 URLs
|
||||
(:ticket:`28142`).
|
||||
|
|
|
@ -109,6 +109,8 @@ class TestUtilsHttp(unittest.TestCase):
|
|||
'http:999999999',
|
||||
'ftp:9999999999',
|
||||
'\n',
|
||||
'http://[2001:cdba:0000:0000:0000:0000:3257:9652/',
|
||||
'http://2001:cdba:0000:0000:0000:0000:3257:9652]/',
|
||||
)
|
||||
for bad_url in bad_urls:
|
||||
with ignore_warnings(category=RemovedInDjango21Warning):
|
||||
|
|
Loading…
Reference in New Issue