From 552f03869ea7f3072b3fa19ffb6cb2d957fd8447 Mon Sep 17 00:00:00 2001 From: Claude Paroz Date: Fri, 4 Mar 2016 23:33:35 +0100 Subject: Added safety to URL decoding in is_safe_url() on Python 2 The errors='replace' parameter to force_text altered the URL before checking it, which wasn't considered sane. Refs 24fc935218 and ada7a4aef. --- tests/utils_tests/test_http.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'tests/utils_tests') diff --git a/tests/utils_tests/test_http.py b/tests/utils_tests/test_http.py index 3a1bbbf66e..8f93c472a7 100644 --- a/tests/utils_tests/test_http.py +++ b/tests/utils_tests/test_http.py @@ -124,7 +124,7 @@ class TestUtilsHttp(unittest.TestCase): ) self.assertFalse(http.is_safe_url(b'\x08//example.com', host='testserver')) self.assertTrue(http.is_safe_url('àview/'.encode('utf-8'), host='testserver')) - self.assertTrue(http.is_safe_url('àview'.encode('latin-1'), host='testserver')) + self.assertFalse(http.is_safe_url('àview'.encode('latin-1'), host='testserver')) # Valid basic auth credentials are allowed. self.assertTrue(http.is_safe_url(r'http://user:pass@testserver/', host='user:pass@testserver')) -- cgit v1.3