summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPrzemysław Suliga <mail@suligap.net>2018-06-22 11:21:52 +0200
committerTim Graham <timograham@gmail.com>2018-06-29 10:17:52 -0400
commitd22b90b4eabc1fe9b7b35aada441e0edf5ebd6d8 (patch)
tree9dcafc8e840de7fc1f2fc11aa818bfd2fd557557
parentb5dd6ef3d52544ec7533509915c61545d5c3d85a (diff)
Fixed #29525 -- Allowed is_safe_url()'s allowed_hosts arg to be a string.
-rw-r--r--AUTHORS1
-rw-r--r--django/utils/http.py2
-rw-r--r--tests/utils_tests/test_http.py4
3 files changed, 7 insertions, 0 deletions
diff --git a/AUTHORS b/AUTHORS
index f95e3ea15d..c2fad3204b 100644
--- a/AUTHORS
+++ b/AUTHORS
@@ -678,6 +678,7 @@ answer newbie questions, and generally made Django that much better:
Preston Holmes <preston@ptone.com>
Preston Timmons <prestontimmons@gmail.com>
Priyansh Saxena <askpriyansh@gmail.com>
+ Przemysław Suliga <http://suligap.net>
Rachel Tobin <rmtobin@me.com>
Rachel Willmer <http://www.willmer.com/kb/>
Radek Švarz <http://www.svarz.cz/translate/>
diff --git a/django/utils/http.py b/django/utils/http.py
index 4558c6874a..caaab4f9e5 100644
--- a/django/utils/http.py
+++ b/django/utils/http.py
@@ -298,6 +298,8 @@ def is_safe_url(url, allowed_hosts, require_https=False):
return False
if allowed_hosts is None:
allowed_hosts = set()
+ elif isinstance(allowed_hosts, str):
+ allowed_hosts = {allowed_hosts}
# Chrome treats \ completely as / in paths but it could be part of some
# basic auth credentials so we need to check both URLs.
return (_is_safe_url(url, allowed_hosts, require_https=require_https) and
diff --git a/tests/utils_tests/test_http.py b/tests/utils_tests/test_http.py
index 86fcff9d8e..05b43c814f 100644
--- a/tests/utils_tests/test_http.py
+++ b/tests/utils_tests/test_http.py
@@ -165,6 +165,10 @@ class IsSafeURLTests(unittest.TestCase):
# Basic auth without host is not allowed.
self.assertIs(is_safe_url(r'http://testserver\@example.com', allowed_hosts=None), False)
+ def test_allowed_hosts_str(self):
+ self.assertIs(is_safe_url('http://good.com/good', allowed_hosts='good.com'), True)
+ self.assertIs(is_safe_url('http://good.co/evil', allowed_hosts='good.com'), False)
+
def test_secure_param_https_urls(self):
secure_urls = (
'https://example.com/p',