Fixed #28142 -- Fixed is_safe_url() crash on invalid IPv6 URLs.

author: UmanShahzad <emidanrko564@hotmail.com> 2017-04-29 19:10:43 -0400
committer: Tim Graham <timograham@gmail.com> 2017-05-10 09:02:20 -0400
commit: 856072dd4a3e479aa09b0ab6b498ff599ca2a809 (patch)
tree: 79d31879bfe493069fb9027d4c95a7cce25ebcc3 /django/utils/http.py
parent: 3db84b5526a16a136862381c6f8b08c59da4cb82 (diff)
1 files changed, 4 insertions, 1 deletions
diff --git a/django/utils/http.py b/django/utils/http.py
index 1433df4ff0..07b6ae246a 100644
--- a/django/utils/http.py
+++ b/django/utils/http.py
@@ -349,7 +349,10 @@ def _is_safe_url(url, allowed_hosts, require_https=False):
     # urlparse is not so flexible. Treat any url with three slashes as unsafe.
     if url.startswith('///'):
         return False
-    url_info = _urlparse(url)
+    try:
+        url_info = _urlparse(url)
+    except ValueError:  # e.g. invalid IPv6 addresses
+        return False
     # Forbid URLs like http:///example.com - with a scheme, but without a hostname.
     # In that URL, example.com is not the hostname but, a path component. However,
     # Chrome will still consider example.com to be the hostname, so we must not
author	UmanShahzad <emidanrko564@hotmail.com>	2017-04-29 19:10:43 -0400
committer	Tim Graham <timograham@gmail.com>	2017-05-10 09:02:20 -0400
commit	856072dd4a3e479aa09b0ab6b498ff599ca2a809 (patch)
tree	79d31879bfe493069fb9027d4c95a7cce25ebcc3 /django/utils/http.py
parent	3db84b5526a16a136862381c6f8b08c59da4cb82 (diff)