[1.7.x] Fixed is_safe_url() to handle leading whitespace.

This is a security fix. Disclosure following shortly.
author: Tim Graham <timograham@gmail.com> 2014-12-03 16:14:00 -0500
committer: Tim Graham <timograham@gmail.com> 2015-01-13 13:02:56 -0500
commit: de67dedc771ad2edec15c1d00c083a1a084e1e89 (patch)
tree: 8730d717445807b0950da15cfeabc7850740c6bd /django/utils
parent: 41b4bc73ee0da7b2e09f4af47fc1fd21144c710f (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/django/utils/http.py b/django/utils/http.py
index 67414d93f6..6aa5cd38d6 100644
--- a/django/utils/http.py
+++ b/django/utils/http.py
@@ -272,6 +272,7 @@ def is_safe_url(url, host=None):
     """
     if not url:
         return False
+    url = url.strip()
     # Chrome treats \ completely as /
     url = url.replace('\\', '/')
     # Chrome considers any URL with more than two slashes to be absolute, but
author	Tim Graham <timograham@gmail.com>	2014-12-03 16:14:00 -0500
committer	Tim Graham <timograham@gmail.com>	2015-01-13 13:02:56 -0500
commit	de67dedc771ad2edec15c1d00c083a1a084e1e89 (patch)
tree	8730d717445807b0950da15cfeabc7850740c6bd /django/utils
parent	41b4bc73ee0da7b2e09f4af47fc1fd21144c710f (diff)