diff options
| author | Claude Paroz <claude@2xlibre.net> | 2016-03-04 23:33:35 +0100 |
|---|---|---|
| committer | Claude Paroz <claude@2xlibre.net> | 2016-03-04 23:38:32 +0100 |
| commit | 9c195d45a64b0d2baee218e617ca3a762efc0bf5 (patch) | |
| tree | 2cf937e60f38926b32122b7244c44fba3a1f9c90 | |
| parent | 78f48300567b816b3c8177c33bef1a3ea6b36987 (diff) | |
[1.9.x] Added safety to URL decoding in is_safe_url() on Python 2
The errors='replace' parameter to force_text altered the URL before checking
it, which wasn't considered sane. Refs 24fc935218 and ada7a4aef.
Backport of 552f03869e from master.
| -rw-r--r-- | django/utils/http.py | 5 | ||||
| -rw-r--r-- | docs/releases/1.8.11.txt | 2 | ||||
| -rw-r--r-- | docs/releases/1.9.4.txt | 2 | ||||
| -rw-r--r-- | tests/utils_tests/test_http.py | 2 |
4 files changed, 7 insertions, 4 deletions
diff --git a/django/utils/http.py b/django/utils/http.py index e925cfc543..62e854da8a 100644 --- a/django/utils/http.py +++ b/django/utils/http.py @@ -291,7 +291,10 @@ def is_safe_url(url, host=None): if not url: return False if six.PY2: - url = force_text(url, errors='replace') + try: + url = force_text(url) + except UnicodeDecodeError: + return False # Chrome treats \ completely as / in paths but it could be part of some # basic auth credentials so we need to check both URLs. return _is_safe_url(url, host) and _is_safe_url(url.replace('\\', '/'), host) diff --git a/docs/releases/1.8.11.txt b/docs/releases/1.8.11.txt index b01807129b..f33149b9e7 100644 --- a/docs/releases/1.8.11.txt +++ b/docs/releases/1.8.11.txt @@ -2,7 +2,7 @@ Django 1.8.11 release notes =========================== -*March 4, 2016* +*March 5, 2016* Django 1.8.11 fixes a regression on Python 2 in the 1.8.10 security release where ``utils.http.is_safe_url()`` crashes on bytestring URLs (:ticket:`26308`). diff --git a/docs/releases/1.9.4.txt b/docs/releases/1.9.4.txt index d3f66bb7a1..36e4ea329a 100644 --- a/docs/releases/1.9.4.txt +++ b/docs/releases/1.9.4.txt @@ -2,7 +2,7 @@ Django 1.9.4 release notes ========================== -*March 4, 2016* +*March 5, 2016* Django 1.9.4 fixes a regression on Python 2 in the 1.9.3 security release where ``utils.http.is_safe_url()`` crashes on bytestring URLs (:ticket:`26308`). diff --git a/tests/utils_tests/test_http.py b/tests/utils_tests/test_http.py index a7c282aedc..dc117869ad 100644 --- a/tests/utils_tests/test_http.py +++ b/tests/utils_tests/test_http.py @@ -119,7 +119,7 @@ class TestUtilsHttp(unittest.TestCase): ) self.assertFalse(http.is_safe_url(b'\x08//example.com', host='testserver')) self.assertTrue(http.is_safe_url('àview/'.encode('utf-8'), host='testserver')) - self.assertTrue(http.is_safe_url('àview'.encode('latin-1'), host='testserver')) + self.assertFalse(http.is_safe_url('àview'.encode('latin-1'), host='testserver')) # Valid basic auth credentials are allowed. self.assertTrue(http.is_safe_url(r'http://user:pass@testserver/', host='user:pass@testserver')) |