summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorClaude Paroz <claude@2xlibre.net>2016-03-04 23:33:35 +0100
committerClaude Paroz <claude@2xlibre.net>2016-03-04 23:39:46 +0100
commitbeb392b85e71fdd41209d323126181d74090fecb (patch)
treee05961f9b439140f9f9d9c714361ce69e4c0f38f
parent28bed24f552aa01e5b69902493f5ee2e06514522 (diff)
[1.8.x] Added safety to URL decoding in is_safe_url() on Python 2
The errors='replace' parameter to force_text altered the URL before checking it, which wasn't considered sane. Refs 24fc935218 and ada7a4aef. Backport of 552f03869e from master.
Diffstat
-rw-r--r--django/utils/http.py5
-rw-r--r--docs/releases/1.8.11.txt2
-rw-r--r--tests/utils_tests/test_http.py2
3 files changed, 6 insertions, 3 deletions
diff --git a/django/utils/http.py b/django/utils/http.py
index 68f77fba5e..b70720d844 100644
--- a/django/utils/http.py
+++ b/django/utils/http.py
@@ -278,7 +278,10 @@ def is_safe_url(url, host=None):
if not url:
return False
if six.PY2:
- url = force_text(url, errors='replace')
+ try:
+ url = force_text(url)
+ except UnicodeDecodeError:
+ return False
# Chrome treats \ completely as / in paths but it could be part of some
# basic auth credentials so we need to check both URLs.
return _is_safe_url(url, host) and _is_safe_url(url.replace('\\', '/'), host)
diff --git a/docs/releases/1.8.11.txt b/docs/releases/1.8.11.txt
index b01807129b..f33149b9e7 100644
--- a/docs/releases/1.8.11.txt
+++ b/docs/releases/1.8.11.txt
@@ -2,7 +2,7 @@
Django 1.8.11 release notes
===========================
-*March 4, 2016*
+*March 5, 2016*
Django 1.8.11 fixes a regression on Python 2 in the 1.8.10 security release
where ``utils.http.is_safe_url()`` crashes on bytestring URLs (:ticket:`26308`).
diff --git a/tests/utils_tests/test_http.py b/tests/utils_tests/test_http.py
index 106f149515..c487d80744 100644
--- a/tests/utils_tests/test_http.py
+++ b/tests/utils_tests/test_http.py
@@ -144,7 +144,7 @@ class TestUtilsHttp(unittest.TestCase):
)
self.assertFalse(http.is_safe_url(b'\x08//example.com', host='testserver'))
self.assertTrue(http.is_safe_url('àview/'.encode('utf-8'), host='testserver'))
- self.assertTrue(http.is_safe_url('àview'.encode('latin-1'), host='testserver'))
+ self.assertFalse(http.is_safe_url('àview'.encode('latin-1'), host='testserver'))
# Valid basic auth credentials are allowed.
self.assertTrue(http.is_safe_url(r'http://user:pass@testserver/', host='user:pass@testserver'))
generated by cgit v1.3 (git 2.53.0) at 2026-05-01 20:04:08 +0000