From 552f03869ea7f3072b3fa19ffb6cb2d957fd8447 Mon Sep 17 00:00:00 2001 From: Claude Paroz Date: Fri, 4 Mar 2016 23:33:35 +0100 Subject: [PATCH] Added safety to URL decoding in is_safe_url() on Python 2 The errors='replace' parameter to force_text altered the URL before checking it, which wasn't considered sane. Refs 24fc935218 and ada7a4aef. --- django/utils/http.py | 5 ++++- docs/releases/1.8.11.txt | 2 +- docs/releases/1.9.4.txt | 2 +- tests/utils_tests/test_http.py | 2 +- 4 files changed, 7 insertions(+), 4 deletions(-) diff --git a/django/utils/http.py b/django/utils/http.py index 40a7d5f083..ba814504ad 100644 --- a/django/utils/http.py +++ b/django/utils/http.py @@ -291,7 +291,10 @@ def is_safe_url(url, host=None): if not url: return False if six.PY2: - url = force_text(url, errors='replace') + try: + url = force_text(url) + except UnicodeDecodeError: + return False # Chrome treats \ completely as / in paths but it could be part of some # basic auth credentials so we need to check both URLs. return _is_safe_url(url, host) and _is_safe_url(url.replace('\\', '/'), host) diff --git a/docs/releases/1.8.11.txt b/docs/releases/1.8.11.txt index b01807129b..f33149b9e7 100644 --- a/docs/releases/1.8.11.txt +++ b/docs/releases/1.8.11.txt @@ -2,7 +2,7 @@ Django 1.8.11 release notes =========================== -*March 4, 2016* +*March 5, 2016* Django 1.8.11 fixes a regression on Python 2 in the 1.8.10 security release where ``utils.http.is_safe_url()`` crashes on bytestring URLs (:ticket:`26308`). diff --git a/docs/releases/1.9.4.txt b/docs/releases/1.9.4.txt index d3f66bb7a1..36e4ea329a 100644 --- a/docs/releases/1.9.4.txt +++ b/docs/releases/1.9.4.txt @@ -2,7 +2,7 @@ Django 1.9.4 release notes ========================== -*March 4, 2016* +*March 5, 2016* Django 1.9.4 fixes a regression on Python 2 in the 1.9.3 security release where ``utils.http.is_safe_url()`` crashes on bytestring URLs (:ticket:`26308`). diff --git a/tests/utils_tests/test_http.py b/tests/utils_tests/test_http.py index 3a1bbbf66e..8f93c472a7 100644 --- a/tests/utils_tests/test_http.py +++ b/tests/utils_tests/test_http.py @@ -124,7 +124,7 @@ class TestUtilsHttp(unittest.TestCase): ) self.assertFalse(http.is_safe_url(b'\x08//example.com', host='testserver')) self.assertTrue(http.is_safe_url('àview/'.encode('utf-8'), host='testserver')) - self.assertTrue(http.is_safe_url('àview'.encode('latin-1'), host='testserver')) + self.assertFalse(http.is_safe_url('àview'.encode('latin-1'), host='testserver')) # Valid basic auth credentials are allowed. self.assertTrue(http.is_safe_url(r'http://user:pass@testserver/', host='user:pass@testserver'))