diff options
| author | Claude Paroz <claude@2xlibre.net> | 2016-03-04 23:33:35 +0100 |
|---|---|---|
| committer | Claude Paroz <claude@2xlibre.net> | 2016-03-04 23:33:35 +0100 |
| commit | 552f03869ea7f3072b3fa19ffb6cb2d957fd8447 (patch) | |
| tree | 682fddbf235af897d93a1814915b5c588dac88e5 | |
| parent | ada7a4aefb9bec4c34667b511022be6057102f98 (diff) | |
Added safety to URL decoding in is_safe_url() on Python 2
The errors='replace' parameter to force_text altered the URL before checking
it, which wasn't considered sane. Refs 24fc935218 and ada7a4aef.
| -rw-r--r-- | django/utils/http.py | 5 | ||||
| -rw-r--r-- | docs/releases/1.8.11.txt | 2 | ||||
| -rw-r--r-- | docs/releases/1.9.4.txt | 2 | ||||
| -rw-r--r-- | tests/utils_tests/test_http.py | 2 |
4 files changed, 7 insertions, 4 deletions
diff --git a/django/utils/http.py b/django/utils/http.py index 40a7d5f083..ba814504ad 100644 --- a/django/utils/http.py +++ b/django/utils/http.py @@ -291,7 +291,10 @@ def is_safe_url(url, host=None): if not url: return False if six.PY2: - url = force_text(url, errors='replace') + try: + url = force_text(url) + except UnicodeDecodeError: + return False # Chrome treats \ completely as / in paths but it could be part of some # basic auth credentials so we need to check both URLs. return _is_safe_url(url, host) and _is_safe_url(url.replace('\\', '/'), host) diff --git a/docs/releases/1.8.11.txt b/docs/releases/1.8.11.txt index b01807129b..f33149b9e7 100644 --- a/docs/releases/1.8.11.txt +++ b/docs/releases/1.8.11.txt @@ -2,7 +2,7 @@ Django 1.8.11 release notes =========================== -*March 4, 2016* +*March 5, 2016* Django 1.8.11 fixes a regression on Python 2 in the 1.8.10 security release where ``utils.http.is_safe_url()`` crashes on bytestring URLs (:ticket:`26308`). diff --git a/docs/releases/1.9.4.txt b/docs/releases/1.9.4.txt index d3f66bb7a1..36e4ea329a 100644 --- a/docs/releases/1.9.4.txt +++ b/docs/releases/1.9.4.txt @@ -2,7 +2,7 @@ Django 1.9.4 release notes ========================== -*March 4, 2016* +*March 5, 2016* Django 1.9.4 fixes a regression on Python 2 in the 1.9.3 security release where ``utils.http.is_safe_url()`` crashes on bytestring URLs (:ticket:`26308`). diff --git a/tests/utils_tests/test_http.py b/tests/utils_tests/test_http.py index 3a1bbbf66e..8f93c472a7 100644 --- a/tests/utils_tests/test_http.py +++ b/tests/utils_tests/test_http.py @@ -124,7 +124,7 @@ class TestUtilsHttp(unittest.TestCase): ) self.assertFalse(http.is_safe_url(b'\x08//example.com', host='testserver')) self.assertTrue(http.is_safe_url('àview/'.encode('utf-8'), host='testserver')) - self.assertTrue(http.is_safe_url('àview'.encode('latin-1'), host='testserver')) + self.assertFalse(http.is_safe_url('àview'.encode('latin-1'), host='testserver')) # Valid basic auth credentials are allowed. self.assertTrue(http.is_safe_url(r'http://user:pass@testserver/', host='user:pass@testserver')) |
