summaryrefslogtreecommitdiff
path: root/tests/utils_tests
diff options
context:
space:
mode:
authorTim Graham <timograham@gmail.com>2017-03-14 10:46:53 -0400
committerTim Graham <timograham@gmail.com>2017-04-04 10:00:41 -0400
commit254326cb3682389f55f886804d2c43f7b9f23e4f (patch)
treeb18a37cefa313718667225578174ca7d3b3c85e8 /tests/utils_tests
parent5f1ffb07afc1e59729ce2b283124116d6c0659e4 (diff)
[1.9.x] Fixed #27912, CVE-2017-7233 -- Fixed is_safe_url() with numeric URLs.
This is a security fix.
Diffstat (limited to 'tests/utils_tests')
-rw-r--r--tests/utils_tests/test_http.py5
1 files changed, 4 insertions, 1 deletions
diff --git a/tests/utils_tests/test_http.py b/tests/utils_tests/test_http.py
index dc117869ad..d1b8876fde 100644
--- a/tests/utils_tests/test_http.py
+++ b/tests/utils_tests/test_http.py
@@ -98,6 +98,8 @@ class TestUtilsHttp(unittest.TestCase):
r'http://testserver\me:pass@example.com',
r'http://testserver\@example.com',
r'http:\\testserver\confirm\me@example.com',
+ 'http:999999999',
+ 'ftp:9999999999',
'\n'):
self.assertFalse(http.is_safe_url(bad_url, host='testserver'), "%s should be blocked" % bad_url)
for good_url in ('/view/?param=http://example.com',
@@ -108,7 +110,8 @@ class TestUtilsHttp(unittest.TestCase):
'HTTPS://testserver/',
'//testserver/',
'http://testserver/confirm?email=me@example.com',
- '/url%20with%20spaces/'):
+ '/url%20with%20spaces/',
+ 'path/http:2222222222'):
self.assertTrue(http.is_safe_url(good_url, host='testserver'), "%s should be allowed" % good_url)
if six.PY2: