From fce1fa0f7fb984d4e76eb81ffc3cb9826046c3b5 Mon Sep 17 00:00:00 2001 From: Florian Apolloner Date: Sat, 17 Nov 2012 22:00:53 +0100 Subject: [1.5.X] Fixed #18856 -- Ensured that redirects can't be poisoned by malicious users. --- django/utils/http.py | 12 ++++++++++++ 1 file changed, 12 insertions(+) (limited to 'django/utils/http.py') diff --git a/django/utils/http.py b/django/utils/http.py index 1c3b0039b5..0ab5198804 100644 --- a/django/utils/http.py +++ b/django/utils/http.py @@ -227,3 +227,15 @@ def same_origin(url1, url2): """ p1, p2 = urllib_parse.urlparse(url1), urllib_parse.urlparse(url2) return (p1.scheme, p1.hostname, p1.port) == (p2.scheme, p2.hostname, p2.port) + +def is_safe_url(url, host=None): + """ + Return ``True`` if the url is a safe redirection (i.e. it doesn't point to + a different host). + + Always returns ``False`` on an empty url. + """ + if not url: + return False + netloc = urllib_parse.urlparse(url)[1] + return not netloc or netloc == host -- cgit v1.3