From fc6d147a63f89795dbcdecb0559256470fff4380 Mon Sep 17 00:00:00 2001 From: Mark Striemer Date: Mon, 22 Feb 2016 16:50:23 -0500 Subject: [1.9.x] Fixed CVE-2016-2512 -- Prevented spoofing is_safe_url() with basic auth. This is a security fix. --- tests/utils_tests/test_http.py | 12 ++++++++++++ 1 file changed, 12 insertions(+) (limited to 'tests') diff --git a/tests/utils_tests/test_http.py b/tests/utils_tests/test_http.py index 6051818958..ad9a1666c3 100644 --- a/tests/utils_tests/test_http.py +++ b/tests/utils_tests/test_http.py @@ -92,6 +92,11 @@ class TestUtilsHttp(unittest.TestCase): 'javascript:alert("XSS")', '\njavascript:alert(x)', '\x08//example.com', + r'http://otherserver\@example.com', + r'http:\\testserver\@example.com', + r'http://testserver\me:pass@example.com', + r'http://testserver\@example.com', + r'http:\\testserver\confirm\me@example.com', '\n'): self.assertFalse(http.is_safe_url(bad_url, host='testserver'), "%s should be blocked" % bad_url) for good_url in ('/view/?param=http://example.com', @@ -101,8 +106,15 @@ class TestUtilsHttp(unittest.TestCase): 'https://testserver/', 'HTTPS://testserver/', '//testserver/', + 'http://testserver/confirm?email=me@example.com', '/url%20with%20spaces/'): self.assertTrue(http.is_safe_url(good_url, host='testserver'), "%s should be allowed" % good_url) + # Valid basic auth credentials are allowed. + self.assertTrue(http.is_safe_url(r'http://user:pass@testserver/', host='user:pass@testserver')) + # A path without host is allowed. + self.assertTrue(http.is_safe_url('/confirm/me@example.com')) + # Basic auth without host is not allowed. + self.assertFalse(http.is_safe_url(r'http://testserver\@example.com')) def test_urlsafe_base64_roundtrip(self): bytestring = b'foo' -- cgit v1.3