[1.5.x] Prevented reverse() from generating URLs pointing to other hosts.

This is a security fix. Disclosure following shortly.
author: Florian Apolloner <florian@apolloner.eu> 2014-07-17 21:59:28 +0200
committer: Tim Graham <timograham@gmail.com> 2014-08-20 11:44:02 -0400
commit: 45ac9d4fb087d21902469fc22643f5201d41a0cd (patch)
tree: 5492e6b1729fa8d254344af5046fcd6b7cb1014f /tests
parent: 25d9ae5214b59f06f385190733914eaa459751ff (diff)
2 files changed, 6 insertions, 0 deletions
diff --git a/tests/regressiontests/urlpatterns_reverse/tests.py b/tests/regressiontests/urlpatterns_reverse/tests.py
index e3e14b3d7c..a7c8bccdf5 100644
--- a/tests/regressiontests/urlpatterns_reverse/tests.py
+++ b/tests/regressiontests/urlpatterns_reverse/tests.py
@@ -143,6 +143,9 @@ test_data = (
     ('defaults', '/defaults_view2/3/', [], {'arg1': 3, 'arg2': 2}),
     ('defaults', NoReverseMatch, [], {'arg1': 3, 'arg2': 3}),
     ('defaults', NoReverseMatch, [], {'arg2': 1}),
+
+    # Security tests
+    ('security', '/%2Fexample.com/security/', ['/example.com'], {}),
 )
 
 class NoURLPatternsTests(TestCase):
diff --git a/tests/regressiontests/urlpatterns_reverse/urls.py b/tests/regressiontests/urlpatterns_reverse/urls.py
index 7aae7c4691..0d3f8c3ed5 100644
--- a/tests/regressiontests/urlpatterns_reverse/urls.py
+++ b/tests/regressiontests/urlpatterns_reverse/urls.py
@@ -71,4 +71,7 @@ urlpatterns = patterns('',
     (r'defaults_view2/(?P<arg1>\d+)/', 'defaults_view', {'arg2': 2}, 'defaults'),
 
     url('^includes/', include(other_patterns)),
+
+    # Security tests
+    url('(.+)/security/$', empty_view, name='security'),
 )
author	Florian Apolloner <florian@apolloner.eu>	2014-07-17 21:59:28 +0200
committer	Tim Graham <timograham@gmail.com>	2014-08-20 11:44:02 -0400
commit	45ac9d4fb087d21902469fc22643f5201d41a0cd (patch)
tree	5492e6b1729fa8d254344af5046fcd6b7cb1014f /tests
parent	25d9ae5214b59f06f385190733914eaa459751ff (diff)