From bf650a2ee78c6d1f4544a875dcc777cf27fe93e9 Mon Sep 17 00:00:00 2001 From: Florian Apolloner Date: Thu, 17 Jul 2014 21:59:28 +0200 Subject: [1.7.x] Prevented reverse() from generating URLs pointing to other hosts. This is a security fix. Disclosure following shortly. --- tests/urlpatterns_reverse/tests.py | 3 +++ tests/urlpatterns_reverse/urls.py | 3 +++ 2 files changed, 6 insertions(+) (limited to 'tests/urlpatterns_reverse') diff --git a/tests/urlpatterns_reverse/tests.py b/tests/urlpatterns_reverse/tests.py index 6d197534e4..1ba822e7f6 100644 --- a/tests/urlpatterns_reverse/tests.py +++ b/tests/urlpatterns_reverse/tests.py @@ -151,6 +151,9 @@ test_data = ( ('defaults', '/defaults_view2/3/', [], {'arg1': 3, 'arg2': 2}), ('defaults', NoReverseMatch, [], {'arg1': 3, 'arg2': 3}), ('defaults', NoReverseMatch, [], {'arg2': 1}), + + # Security tests + ('security', '/%2Fexample.com/security/', ['/example.com'], {}), ) diff --git a/tests/urlpatterns_reverse/urls.py b/tests/urlpatterns_reverse/urls.py index f7b160f626..c4d10131be 100644 --- a/tests/urlpatterns_reverse/urls.py +++ b/tests/urlpatterns_reverse/urls.py @@ -66,4 +66,7 @@ urlpatterns = patterns('', (r'defaults_view2/(?P\d+)/', 'defaults_view', {'arg2': 2}, 'defaults'), url('^includes/', include(other_patterns)), + + # Security tests + url('(.+)/security/$', empty_view, name='security'), ) -- cgit v1.3