diff --git a/django/contrib/auth/tests/test_views.py b/django/contrib/auth/tests/test_views.py index 277307acd6c..ac13339f9ee 100644 --- a/django/contrib/auth/tests/test_views.py +++ b/django/contrib/auth/tests/test_views.py @@ -444,8 +444,10 @@ class LoginTest(AuthViewsTestCase): # Those URLs should not pass the security check for bad_url in ('http://example.com', + 'http:///example.com', 'https://example.com', 'ftp://exampel.com', + '///example.com', '//example.com', 'javascript:alert("XSS")'): @@ -467,8 +469,8 @@ class LoginTest(AuthViewsTestCase): '/view/?param=https://example.com', '/view?param=ftp://exampel.com', 'view/?param=//example.com', - 'https:///', - 'HTTPS:///', + 'https://testserver/', + 'HTTPS://testserver/', '//testserver/', '/url%20with%20spaces/'): # see ticket #12534 safe_url = '%(url)s?%(next)s=%(good_url)s' % { @@ -660,8 +662,10 @@ class LogoutTest(AuthViewsTestCase): # Those URLs should not pass the security check for bad_url in ('http://example.com', + 'http:///example.com', 'https://example.com', 'ftp://exampel.com', + '///example.com', '//example.com', 'javascript:alert("XSS")'): nasty_url = '%(url)s?%(next)s=%(bad_url)s' % { @@ -681,8 +685,8 @@ class LogoutTest(AuthViewsTestCase): '/view/?param=https://example.com', '/view?param=ftp://exampel.com', 'view/?param=//example.com', - 'https:///', - 'HTTPS:///', + 'https://testserver/', + 'HTTPS://testserver/', '//testserver/', '/url%20with%20spaces/'): # see ticket #12534 safe_url = '%(url)s?%(next)s=%(good_url)s' % { diff --git a/django/utils/http.py b/django/utils/http.py index 571a179830c..ee7ecf10ec8 100644 --- a/django/utils/http.py +++ b/django/utils/http.py @@ -256,6 +256,18 @@ def is_safe_url(url, host=None): """ if not url: return False + # Chrome treats \ completely as / + url = url.replace('\\', '/') + # Chrome considers any URL with more than two slashes to be absolute, but + # urlaprse is not so flexible. Treat any url with three slashes as unsafe. + if url.startswith('///'): + return False url_info = urlparse(url) + # Forbid URLs like http:///example.com - with a scheme, but without a hostname. + # In that URL, example.com is not the hostname but, a path component. However, + # Chrome will still consider example.com to be the hostname, so we must not + # allow this syntax. + if not url_info.netloc and url_info.scheme: + return False return (not url_info.netloc or url_info.netloc == host) and \ (not url_info.scheme or url_info.scheme in ['http', 'https']) diff --git a/tests/utils_tests/test_http.py b/tests/utils_tests/test_http.py index 3da279d4a21..83dcd7c66a0 100644 --- a/tests/utils_tests/test_http.py +++ b/tests/utils_tests/test_http.py @@ -91,6 +91,35 @@ class TestUtilsHttp(unittest.TestCase): self.assertEqual(http.int_to_base36(n), b36) self.assertEqual(http.base36_to_int(b36), n) + def test_is_safe_url(self): + for bad_url in ('http://example.com', + 'http:///example.com', + 'https://example.com', + 'ftp://exampel.com', + r'\\example.com', + r'\\\example.com', + r'/\\/example.com', + r'\\\example.com', + r'\\example.com', + r'\\//example.com', + r'/\/example.com', + r'\/example.com', + r'/\example.com', + 'http:///example.com', + 'http:/\//example.com', + 'http:\/example.com', + 'http:/\example.com', + 'javascript:alert("XSS")'): + self.assertFalse(http.is_safe_url(bad_url, host='testserver'), "%s should be blocked" % bad_url) + for good_url in ('/view/?param=http://example.com', + '/view/?param=https://example.com', + '/view?param=ftp://exampel.com', + 'view/?param=//example.com', + 'https://testserver/', + 'HTTPS://testserver/', + '//testserver/', + '/url%20with%20spaces/'): + self.assertTrue(http.is_safe_url(good_url, host='testserver'), "%s should be allowed" % good_url) class ETagProcessingTests(unittest.TestCase): def testParsing(self):