diff options
| author | Florian Apolloner <florian@apolloner.eu> | 2012-11-17 22:00:53 +0100 |
|---|---|---|
| committer | Florian Apolloner <florian@apolloner.eu> | 2012-12-10 22:13:28 +0100 |
| commit | fce1fa0f7fb984d4e76eb81ffc3cb9826046c3b5 (patch) | |
| tree | 93a70aabbaae9a4be826afeeadb41957224ef3f8 /django/utils | |
| parent | 984cf8417b9f6738e3bc09cbcfb697eeffe441a5 (diff) | |
[1.5.X] Fixed #18856 -- Ensured that redirects can't be poisoned by malicious users.
Diffstat (limited to 'django/utils')
| -rw-r--r-- | django/utils/http.py | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/django/utils/http.py b/django/utils/http.py index 1c3b0039b5..0ab5198804 100644 --- a/django/utils/http.py +++ b/django/utils/http.py @@ -227,3 +227,15 @@ def same_origin(url1, url2): """ p1, p2 = urllib_parse.urlparse(url1), urllib_parse.urlparse(url2) return (p1.scheme, p1.hostname, p1.port) == (p2.scheme, p2.hostname, p2.port) + +def is_safe_url(url, host=None): + """ + Return ``True`` if the url is a safe redirection (i.e. it doesn't point to + a different host). + + Always returns ``False`` on an empty url. + """ + if not url: + return False + netloc = urllib_parse.urlparse(url)[1] + return not netloc or netloc == host |
