[1.8.x] Added safety to URL decoding in is_safe_url() on Python 2

The errors='replace' parameter to force_text altered the URL before checking it, which wasn't considered sane. Refs 24fc935218 and ada7a4aef. Backport of 552f03869e from master.
author: Claude Paroz <claude@2xlibre.net> 2016-03-04 23:33:35 +0100
committer: Claude Paroz <claude@2xlibre.net> 2016-03-04 23:39:46 +0100
commit: beb392b85e71fdd41209d323126181d74090fecb (patch)
tree: e05961f9b439140f9f9d9c714361ce69e4c0f38f /django/utils/http.py
parent: 28bed24f552aa01e5b69902493f5ee2e06514522 (diff)
1 files changed, 4 insertions, 1 deletions
diff --git a/django/utils/http.py b/django/utils/http.py
index 68f77fba5e..b70720d844 100644
--- a/django/utils/http.py
+++ b/django/utils/http.py
@@ -278,7 +278,10 @@ def is_safe_url(url, host=None):
     if not url:
         return False
     if six.PY2:
-        url = force_text(url, errors='replace')
+        try:
+            url = force_text(url)
+        except UnicodeDecodeError:
+            return False
     # Chrome treats \ completely as / in paths but it could be part of some
     # basic auth credentials so we need to check both URLs.
     return _is_safe_url(url, host) and _is_safe_url(url.replace('\\', '/'), host)
author	Claude Paroz <claude@2xlibre.net>	2016-03-04 23:33:35 +0100
committer	Claude Paroz <claude@2xlibre.net>	2016-03-04 23:39:46 +0100
commit	beb392b85e71fdd41209d323126181d74090fecb (patch)
tree	e05961f9b439140f9f9d9c714361ce69e4c0f38f /django/utils/http.py
parent	28bed24f552aa01e5b69902493f5ee2e06514522 (diff)