Fixed #28142 -- Fixed is_safe_url() crash on invalid IPv6 URLs.

This commit is contained in:
UmanShahzad 2017-04-29 19:10:43 -04:00 committed by Tim Graham
parent 3db84b5526
commit 856072dd4a
3 changed files with 9 additions and 1 deletions

View File

@ -349,7 +349,10 @@ def _is_safe_url(url, allowed_hosts, require_https=False):
# urlparse is not so flexible. Treat any url with three slashes as unsafe. # urlparse is not so flexible. Treat any url with three slashes as unsafe.
if url.startswith('///'): if url.startswith('///'):
return False return False
url_info = _urlparse(url) try:
url_info = _urlparse(url)
except ValueError: # e.g. invalid IPv6 addresses
return False
# Forbid URLs like http:///example.com - with a scheme, but without a hostname. # Forbid URLs like http:///example.com - with a scheme, but without a hostname.
# In that URL, example.com is not the hostname but, a path component. However, # In that URL, example.com is not the hostname but, a path component. However,
# Chrome will still consider example.com to be the hostname, so we must not # Chrome will still consider example.com to be the hostname, so we must not

View File

@ -15,3 +15,6 @@ Bugfixes
* Changed ``contrib.gis`` to raise ``ImproperlyConfigured`` rather than * Changed ``contrib.gis`` to raise ``ImproperlyConfigured`` rather than
``GDALException`` if ``gdal`` isn't installed, to allow third-party apps to ``GDALException`` if ``gdal`` isn't installed, to allow third-party apps to
catch that exception (:ticket:`28178`). catch that exception (:ticket:`28178`).
* Fixed ``django.utils.http.is_safe_url()`` crash on invalid IPv6 URLs
(:ticket:`28142`).

View File

@ -100,6 +100,8 @@ class TestUtilsHttp(unittest.TestCase):
'http:999999999', 'http:999999999',
'ftp:9999999999', 'ftp:9999999999',
'\n', '\n',
'http://[2001:cdba:0000:0000:0000:0000:3257:9652/',
'http://2001:cdba:0000:0000:0000:0000:3257:9652]/',
) )
for bad_url in bad_urls: for bad_url in bad_urls:
with ignore_warnings(category=RemovedInDjango21Warning): with ignore_warnings(category=RemovedInDjango21Warning):