From 7feb54bbae3f637ab3c4dd4831d4385964f574df Mon Sep 17 00:00:00 2001 From: Tim Graham Date: Mon, 12 May 2014 09:46:40 -0400 Subject: [1.4.x] Added additional checks in is_safe_url to account for flexible parsing. This is a security fix. Disclosure following shortly. --- tests/regressiontests/utils/http.py | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) (limited to 'tests') diff --git a/tests/regressiontests/utils/http.py b/tests/regressiontests/utils/http.py index 9e05a94118..802b3fa88d 100644 --- a/tests/regressiontests/utils/http.py +++ b/tests/regressiontests/utils/http.py @@ -78,3 +78,33 @@ class TestUtilsHttp(unittest.TestCase): for n, b36 in [(0, '0'), (1, '1'), (42, '16'), (818469960, 'django')]: self.assertEqual(http.int_to_base36(n), b36) self.assertEqual(http.base36_to_int(b36), n) + + def test_is_safe_url(self): + for bad_url in ('http://example.com', + 'http:///example.com', + 'https://example.com', + 'ftp://exampel.com', + r'\\example.com', + r'\\\example.com', + r'/\\/example.com', + r'\\\example.com', + r'\\example.com', + r'\\//example.com', + r'/\/example.com', + r'\/example.com', + r'/\example.com', + 'http:///example.com', + 'http:/\//example.com', + 'http:\/example.com', + 'http:/\example.com', + 'javascript:alert("XSS")'): + self.assertFalse(http.is_safe_url(bad_url, host='testserver'), "%s should be blocked" % bad_url) + for good_url in ('/view/?param=http://example.com', + '/view/?param=https://example.com', + '/view?param=ftp://exampel.com', + 'view/?param=//example.com', + 'https://testserver/', + 'HTTPS://testserver/', + '//testserver/', + '/url%20with%20spaces/'): + self.assertTrue(http.is_safe_url(good_url, host='testserver'), "%s should be allowed" % good_url) -- cgit v1.3