diff options
| author | Przemysław Suliga <mail@suligap.net> | 2018-06-22 11:21:52 +0200 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2018-06-29 10:17:52 -0400 |
| commit | d22b90b4eabc1fe9b7b35aada441e0edf5ebd6d8 (patch) | |
| tree | 9dcafc8e840de7fc1f2fc11aa818bfd2fd557557 | |
| parent | b5dd6ef3d52544ec7533509915c61545d5c3d85a (diff) | |
Fixed #29525 -- Allowed is_safe_url()'s allowed_hosts arg to be a string.
| -rw-r--r-- | AUTHORS | 1 | ||||
| -rw-r--r-- | django/utils/http.py | 2 | ||||
| -rw-r--r-- | tests/utils_tests/test_http.py | 4 |
3 files changed, 7 insertions, 0 deletions
@@ -678,6 +678,7 @@ answer newbie questions, and generally made Django that much better: Preston Holmes <preston@ptone.com> Preston Timmons <prestontimmons@gmail.com> Priyansh Saxena <askpriyansh@gmail.com> + Przemysław Suliga <http://suligap.net> Rachel Tobin <rmtobin@me.com> Rachel Willmer <http://www.willmer.com/kb/> Radek Švarz <http://www.svarz.cz/translate/> diff --git a/django/utils/http.py b/django/utils/http.py index 4558c6874a..caaab4f9e5 100644 --- a/django/utils/http.py +++ b/django/utils/http.py @@ -298,6 +298,8 @@ def is_safe_url(url, allowed_hosts, require_https=False): return False if allowed_hosts is None: allowed_hosts = set() + elif isinstance(allowed_hosts, str): + allowed_hosts = {allowed_hosts} # Chrome treats \ completely as / in paths but it could be part of some # basic auth credentials so we need to check both URLs. return (_is_safe_url(url, allowed_hosts, require_https=require_https) and diff --git a/tests/utils_tests/test_http.py b/tests/utils_tests/test_http.py index 86fcff9d8e..05b43c814f 100644 --- a/tests/utils_tests/test_http.py +++ b/tests/utils_tests/test_http.py @@ -165,6 +165,10 @@ class IsSafeURLTests(unittest.TestCase): # Basic auth without host is not allowed. self.assertIs(is_safe_url(r'http://testserver\@example.com', allowed_hosts=None), False) + def test_allowed_hosts_str(self): + self.assertIs(is_safe_url('http://good.com/good', allowed_hosts='good.com'), True) + self.assertIs(is_safe_url('http://good.co/evil', allowed_hosts='good.com'), False) + def test_secure_param_https_urls(self): secure_urls = ( 'https://example.com/p', |
