From ed32170a0487cdf045b565cc971067504b79aaf0 Mon Sep 17 00:00:00 2001
From: Russell Keith-Magee <russell@keith-magee.com>
Date: Fri, 8 Oct 2010 14:14:05 +0000
Subject: [PATCH] Fixed #13218 -- Ensure that syndicated content served over
 HTTPS uses https:// links by default. Thanks to schaefer for the report, and
 Ben Firshman for the patch.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@14007 bcc190cf-cafb-0310-a4f2-bffc1f526a37
---
 django/contrib/syndication/views.py        | 23 ++++++++++++++++------
 tests/regressiontests/syndication/tests.py | 23 ++++++++++++++++++++++
 2 files changed, 40 insertions(+), 6 deletions(-)

diff --git a/django/contrib/syndication/views.py b/django/contrib/syndication/views.py
index 804a94508f..d942b2f9dc 100644
--- a/django/contrib/syndication/views.py
+++ b/django/contrib/syndication/views.py
@@ -8,13 +8,17 @@ from django.utils import feedgenerator, tzinfo
 from django.utils.encoding import force_unicode, iri_to_uri, smart_unicode
 from django.utils.html import escape
 
-def add_domain(domain, url):
+def add_domain(domain, url, secure=False):
     if not (url.startswith('http://')
             or url.startswith('https://')
             or url.startswith('mailto:')):
         # 'url' must already be ASCII and URL-quoted, so no need for encoding
         # conversions here.
-        url = iri_to_uri(u'http://%s%s' % (domain, url))
+        if secure:
+            protocol = 'https'
+        else:
+            protocol = 'http'
+        url = iri_to_uri(u'%s://%s%s' % (protocol, domain, url))
     return url
 
 class FeedDoesNotExist(ObjectDoesNotExist):
@@ -94,7 +98,7 @@ class Feed(object):
         current_site = get_current_site(request)
 
         link = self.__get_dynamic_attr('link', obj)
-        link = add_domain(current_site.domain, link)
+        link = add_domain(current_site.domain, link, request.is_secure())
 
         feed = self.feed_type(
             title = self.__get_dynamic_attr('title', obj),
@@ -102,8 +106,11 @@ class Feed(object):
             link = link,
             description = self.__get_dynamic_attr('description', obj),
             language = settings.LANGUAGE_CODE.decode(),
-            feed_url = add_domain(current_site.domain,
-                    self.__get_dynamic_attr('feed_url', obj) or request.path),
+            feed_url = add_domain(
+                current_site.domain,
+                self.__get_dynamic_attr('feed_url', obj) or request.path,
+                request.is_secure(),
+            ),
             author_name = self.__get_dynamic_attr('author_name', obj),
             author_link = self.__get_dynamic_attr('author_link', obj),
             author_email = self.__get_dynamic_attr('author_email', obj),
@@ -137,7 +144,11 @@ class Feed(object):
                 description = description_tmp.render(RequestContext(request, {'obj': item, 'site': current_site}))
             else:
                 description = self.__get_dynamic_attr('item_description', item)
-            link = add_domain(current_site.domain, self.__get_dynamic_attr('item_link', item))
+            link = add_domain(
+                current_site.domain,
+                self.__get_dynamic_attr('item_link', item),
+                request.is_secure(),
+            )
             enc = None
             enc_url = self.__get_dynamic_attr('item_enclosure_url', item)
             if enc_url:
diff --git a/tests/regressiontests/syndication/tests.py b/tests/regressiontests/syndication/tests.py
index 7911657079..76a6c88bc1 100644
--- a/tests/regressiontests/syndication/tests.py
+++ b/tests/regressiontests/syndication/tests.py
@@ -236,6 +236,25 @@ class SyndicationFeedTest(FeedTestCase):
             if link.getAttribute('rel') == 'self':
                 self.assertEqual(link.getAttribute('href'), 'http://example.com/customfeedurl/')
 
+    def test_secure_urls(self):
+        """
+        Test URLs are prefixed with https:// when feed is requested over HTTPS.
+        """
+        response = self.client.get('/syndication/rss2/', **{
+            'wsgi.url_scheme': 'https',
+        })
+        doc = minidom.parseString(response.content)
+        chan = doc.getElementsByTagName('channel')[0]
+        self.assertEqual(
+            chan.getElementsByTagName('link')[0].firstChild.wholeText[0:5],
+            'https'
+        )
+        atom_link = chan.getElementsByTagName('atom:link')[0]
+        self.assertEqual(atom_link.getAttribute('href')[0:5], 'https')
+        for link in doc.getElementsByTagName('link'):
+            if link.getAttribute('rel') == 'self':
+                self.assertEqual(link.getAttribute('href')[0:5], 'https')
+
     def test_item_link_error(self):
         """
         Test that a ImproperlyConfigured is raised if no link could be found
@@ -270,6 +289,10 @@ class SyndicationFeedTest(FeedTestCase):
             views.add_domain('example.com', '/foo/?arg=value'),
             'http://example.com/foo/?arg=value'
         )
+        self.assertEqual(
+            views.add_domain('example.com', '/foo/?arg=value', True),
+            'https://example.com/foo/?arg=value'
+        )
         self.assertEqual(
             views.add_domain('example.com', 'http://djangoproject.com/doc/'),
             'http://djangoproject.com/doc/'