mirror of https://github.com/django/django.git
Refs #26956 -- Removed the host parameter of django.utils.http.is_safe_url().
Per deprecation timeline.
This commit is contained in:
parent
e47b56d791
commit
96107e2844
|
@ -3,7 +3,6 @@ import calendar
|
||||||
import datetime
|
import datetime
|
||||||
import re
|
import re
|
||||||
import unicodedata
|
import unicodedata
|
||||||
import warnings
|
|
||||||
from binascii import Error as BinasciiError
|
from binascii import Error as BinasciiError
|
||||||
from email.utils import formatdate
|
from email.utils import formatdate
|
||||||
from urllib.parse import (
|
from urllib.parse import (
|
||||||
|
@ -14,7 +13,6 @@ from urllib.parse import (
|
||||||
|
|
||||||
from django.core.exceptions import TooManyFieldsSent
|
from django.core.exceptions import TooManyFieldsSent
|
||||||
from django.utils.datastructures import MultiValueDict
|
from django.utils.datastructures import MultiValueDict
|
||||||
from django.utils.deprecation import RemovedInDjango21Warning
|
|
||||||
from django.utils.encoding import force_bytes
|
from django.utils.encoding import force_bytes
|
||||||
from django.utils.functional import keep_lazy_text
|
from django.utils.functional import keep_lazy_text
|
||||||
|
|
||||||
|
@ -264,7 +262,7 @@ def is_same_domain(host, pattern):
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
||||||
def is_safe_url(url, host=None, allowed_hosts=None, require_https=False):
|
def is_safe_url(url, allowed_hosts=None, require_https=False):
|
||||||
"""
|
"""
|
||||||
Return ``True`` if the url is a safe redirection (i.e. it doesn't point to
|
Return ``True`` if the url is a safe redirection (i.e. it doesn't point to
|
||||||
a different host and uses a safe scheme).
|
a different host and uses a safe scheme).
|
||||||
|
@ -280,14 +278,6 @@ def is_safe_url(url, host=None, allowed_hosts=None, require_https=False):
|
||||||
return False
|
return False
|
||||||
if allowed_hosts is None:
|
if allowed_hosts is None:
|
||||||
allowed_hosts = set()
|
allowed_hosts = set()
|
||||||
if host:
|
|
||||||
warnings.warn(
|
|
||||||
"The host argument is deprecated, use allowed_hosts instead.",
|
|
||||||
RemovedInDjango21Warning,
|
|
||||||
stacklevel=2,
|
|
||||||
)
|
|
||||||
# Avoid mutating the passed in allowed_hosts.
|
|
||||||
allowed_hosts = allowed_hosts | {host}
|
|
||||||
# Chrome treats \ completely as / in paths but it could be part of some
|
# Chrome treats \ completely as / in paths but it could be part of some
|
||||||
# basic auth credentials so we need to check both URLs.
|
# basic auth credentials so we need to check both URLs.
|
||||||
return (_is_safe_url(url, allowed_hosts, require_https=require_https) and
|
return (_is_safe_url(url, allowed_hosts, require_https=require_https) and
|
||||||
|
|
|
@ -239,3 +239,5 @@ how to remove usage of these features.
|
||||||
|
|
||||||
* ``django.core.cache.backends.memcached.PyLibMCCache`` no longer supports
|
* ``django.core.cache.backends.memcached.PyLibMCCache`` no longer supports
|
||||||
passing ``pylibmc`` behavior settings as top-level attributes of ``OPTIONS``.
|
passing ``pylibmc`` behavior settings as top-level attributes of ``OPTIONS``.
|
||||||
|
|
||||||
|
* The ``host`` parameter of ``django.utils.http.is_safe_url()`` is removed.
|
||||||
|
|
|
@ -1,10 +1,8 @@
|
||||||
import unittest
|
import unittest
|
||||||
from datetime import datetime
|
from datetime import datetime
|
||||||
|
|
||||||
from django.test import ignore_warnings
|
|
||||||
from django.utils import http
|
from django.utils import http
|
||||||
from django.utils.datastructures import MultiValueDict
|
from django.utils.datastructures import MultiValueDict
|
||||||
from django.utils.deprecation import RemovedInDjango21Warning
|
|
||||||
|
|
||||||
|
|
||||||
class TestUtilsHttp(unittest.TestCase):
|
class TestUtilsHttp(unittest.TestCase):
|
||||||
|
@ -107,8 +105,6 @@ class TestUtilsHttp(unittest.TestCase):
|
||||||
'http://2001:cdba:0000:0000:0000:0000:3257:9652]/',
|
'http://2001:cdba:0000:0000:0000:0000:3257:9652]/',
|
||||||
)
|
)
|
||||||
for bad_url in bad_urls:
|
for bad_url in bad_urls:
|
||||||
with ignore_warnings(category=RemovedInDjango21Warning):
|
|
||||||
self.assertFalse(http.is_safe_url(bad_url, host='testserver'), "%s should be blocked" % bad_url)
|
|
||||||
self.assertFalse(
|
self.assertFalse(
|
||||||
http.is_safe_url(bad_url, allowed_hosts={'testserver', 'testserver2'}),
|
http.is_safe_url(bad_url, allowed_hosts={'testserver', 'testserver2'}),
|
||||||
"%s should be blocked" % bad_url,
|
"%s should be blocked" % bad_url,
|
||||||
|
@ -127,8 +123,6 @@ class TestUtilsHttp(unittest.TestCase):
|
||||||
'path/http:2222222222',
|
'path/http:2222222222',
|
||||||
)
|
)
|
||||||
for good_url in good_urls:
|
for good_url in good_urls:
|
||||||
with ignore_warnings(category=RemovedInDjango21Warning):
|
|
||||||
self.assertTrue(http.is_safe_url(good_url, host='testserver'), "%s should be allowed" % good_url)
|
|
||||||
self.assertTrue(
|
self.assertTrue(
|
||||||
http.is_safe_url(good_url, allowed_hosts={'otherserver', 'testserver'}),
|
http.is_safe_url(good_url, allowed_hosts={'otherserver', 'testserver'}),
|
||||||
"%s should be allowed" % good_url,
|
"%s should be allowed" % good_url,
|
||||||
|
|
Loading…
Reference in New Issue