test0908
/
django
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Fixed #26308 -- Prevented crash with binary URLs in is_safe_url() 

This fixes a regression introduced by c5544d2892.
Thanks John Eskew for the reporti and Tim Graham for the review.
This commit is contained in:
Claude Paroz 2016-03-04 15:41:52 +01:00
parent cecbf1bdef
commit ada7a4aefb
4 changed files with 20 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
django/utils/http.py
View File

@ -290,6 +290,8 @@ def is_safe_url(url, host=None):
url = url.strip() url = url.strip()
if not url: if not url:
return False return False
if six.PY2:
url = force_text(url, errors='replace')
# Chrome treats \ completely as / in paths but it could be part of some # Chrome treats \ completely as / in paths but it could be part of some
# basic auth credentials so we need to check both URLs. # basic auth credentials so we need to check both URLs.
return _is_safe_url(url, host) and _is_safe_url(url.replace('\\', '/'), host) return _is_safe_url(url, host) and _is_safe_url(url.replace('\\', '/'), host)

10
docs/releases/1.8.11.txt
View File

@ -2,11 +2,7 @@
Django 1.8.11 release notes Django 1.8.11 release notes
=========================== ===========================
*Under development* *March 4, 2016*
Django 1.8.11 fixes several bugs in 1.8.10. Django 1.8.11 fixes a regression on Python 2 in the 1.8.10 security release
where ``utils.http.is_safe_url()`` crashes on bytestring URLs (:ticket:`26308`).
Bugfixes
========
* ...

10
docs/releases/1.9.4.txt
View File

@ -2,11 +2,7 @@
Django 1.9.4 release notes Django 1.9.4 release notes
========================== ==========================
*Under development* *March 4, 2016*
Django 1.9.4 fixes several bugs in 1.9.3. Django 1.9.4 fixes a regression on Python 2 in the 1.9.3 security release
where ``utils.http.is_safe_url()`` crashes on bytestring URLs (:ticket:`26308`).
Bugfixes
========
* ...

12
tests/utils_tests/test_http.py
View File

@ -1,3 +1,4 @@
# -*- encoding: utf-8 -*-
from __future__ import unicode_literals from __future__ import unicode_literals
import sys import sys
@ -114,6 +115,17 @@ class TestUtilsHttp(unittest.TestCase):
'http://testserver/confirm?email=me@example.com', 'http://testserver/confirm?email=me@example.com',
'/url%20with%20spaces/'): '/url%20with%20spaces/'):
self.assertTrue(http.is_safe_url(good_url, host='testserver'), "%s should be allowed" % good_url) self.assertTrue(http.is_safe_url(good_url, host='testserver'), "%s should be allowed" % good_url)
if six.PY2:
# Check binary URLs, regression tests for #26308
self.assertTrue(
http.is_safe_url(b'https://testserver/', host='testserver'),
"binary URLs should be allowed on Python 2"
)
self.assertFalse(http.is_safe_url(b'\x08//example.com', host='testserver'))
self.assertTrue(http.is_safe_url('àview/'.encode('utf-8'), host='testserver'))
self.assertTrue(http.is_safe_url('àview'.encode('latin-1'), host='testserver'))
# Valid basic auth credentials are allowed. # Valid basic auth credentials are allowed.
self.assertTrue(http.is_safe_url(r'http://user:pass@testserver/', host='user:pass@testserver')) self.assertTrue(http.is_safe_url(r'http://user:pass@testserver/', host='user:pass@testserver'))
# A path without host is allowed. # A path without host is allowed.