[1.9.x] Added safety to URL decoding in is_safe_url() on Python 2

The errors='replace' parameter to force_text altered the URL before checking it, which wasn't considered sane. Refs 24fc935218 and ada7a4aef. Backport of 552f03869e from master.
author: Claude Paroz <claude@2xlibre.net> 2016-03-04 23:33:35 +0100
committer: Claude Paroz <claude@2xlibre.net> 2016-03-04 23:38:32 +0100
commit: 9c195d45a64b0d2baee218e617ca3a762efc0bf5 (patch)
tree: 2cf937e60f38926b32122b7244c44fba3a1f9c90 /django/utils/http.py
parent: 78f48300567b816b3c8177c33bef1a3ea6b36987 (diff)
1 files changed, 4 insertions, 1 deletions
diff --git a/django/utils/http.py b/django/utils/http.py
index e925cfc543..62e854da8a 100644
--- a/django/utils/http.py
+++ b/django/utils/http.py
@@ -291,7 +291,10 @@ def is_safe_url(url, host=None):
     if not url:
         return False
     if six.PY2:
-        url = force_text(url, errors='replace')
+        try:
+            url = force_text(url)
+        except UnicodeDecodeError:
+            return False
     # Chrome treats \ completely as / in paths but it could be part of some
     # basic auth credentials so we need to check both URLs.
     return _is_safe_url(url, host) and _is_safe_url(url.replace('\\', '/'), host)
author	Claude Paroz <claude@2xlibre.net>	2016-03-04 23:33:35 +0100
committer	Claude Paroz <claude@2xlibre.net>	2016-03-04 23:38:32 +0100
commit	9c195d45a64b0d2baee218e617ca3a762efc0bf5 (patch)
tree	2cf937e60f38926b32122b7244c44fba3a1f9c90 /django/utils/http.py
parent	78f48300567b816b3c8177c33bef1a3ea6b36987 (diff)