Fixed #26902 -- Allowed is_safe_url() to require an https URL.

Thanks Andrew Nester, Berker Peksag, and Tim Graham for reviews.
author: Przemysław Suliga <mail@suligap.net> 2016-08-19 13:23:13 +0200
committer: Tim Graham <timograham@gmail.com> 2016-08-19 18:51:33 -0400
commit: 5e5a17028f4b9cfb5ff777d8c259e079bca0c988 (patch)
tree: 54e80c287c4598135a6d00db7ed4221d2a48d01b /tests/utils_tests/test_http.py
parent: 44c306218ff5f1b1748040ee3ffd767c4bc33533 (diff)
1 files changed, 18 insertions, 0 deletions
diff --git a/tests/utils_tests/test_http.py b/tests/utils_tests/test_http.py
index e22f76be2e..b690055f30 100644
--- a/tests/utils_tests/test_http.py
+++ b/tests/utils_tests/test_http.py
@@ -140,6 +140,24 @@ class TestUtilsHttp(unittest.TestCase):
         # Basic auth without host is not allowed.
         self.assertFalse(http.is_safe_url(r'http://testserver\@example.com'))
 
+    def test_is_safe_url_secure_param_https_urls(self):
+        secure_urls = (
+            'https://example.com/p',
+            'HTTPS://example.com/p',
+            '/view/?param=http://example.com',
+        )
+        for url in secure_urls:
+            self.assertTrue(http.is_safe_url(url, 'example.com', require_https=True))
+
+    def test_is_safe_url_secure_param_non_https_urls(self):
+        not_secure_urls = (
+            'http://example.com/p',
+            'ftp://example.com/p',
+            '//example.com/p',
+        )
+        for url in not_secure_urls:
+            self.assertFalse(http.is_safe_url(url, 'example.com', require_https=True))
+
     def test_urlsafe_base64_roundtrip(self):
         bytestring = b'foo'
         encoded = http.urlsafe_base64_encode(bytestring)
author	Przemysław Suliga <mail@suligap.net>	2016-08-19 13:23:13 +0200
committer	Tim Graham <timograham@gmail.com>	2016-08-19 18:51:33 -0400
commit	5e5a17028f4b9cfb5ff777d8c259e079bca0c988 (patch)
tree	54e80c287c4598135a6d00db7ed4221d2a48d01b /tests/utils_tests/test_http.py
parent	44c306218ff5f1b1748040ee3ffd767c4bc33533 (diff)