summaryrefslogtreecommitdiff
path: root/django/http/__init__.py
diff options
context:
space:
mode:
Diffstat (limited to 'django/http/__init__.py')
-rw-r--r--django/http/__init__.py21
1 files changed, 12 insertions, 9 deletions
diff --git a/django/http/__init__.py b/django/http/__init__.py
index 07e5a46797..74113b080a 100644
--- a/django/http/__init__.py
+++ b/django/http/__init__.py
@@ -4,7 +4,7 @@ import re
import time
from pprint import pformat
from urllib import urlencode, quote
-from urlparse import urljoin
+from urlparse import urljoin, urlparse
try:
from cStringIO import StringIO
except ImportError:
@@ -117,6 +117,7 @@ class CompatCookie(SimpleCookie):
warnings.warn("CompatCookie is deprecated, use django.http.SimpleCookie instead.",
PendingDeprecationWarning)
+from django.core.exceptions import SuspiciousOperation
from django.utils.datastructures import MultiValueDict, ImmutableList
from django.utils.encoding import smart_str, iri_to_uri, force_unicode
from django.utils.http import cookie_date
@@ -635,19 +636,21 @@ class HttpResponse(object):
raise Exception("This %s instance cannot tell its position" % self.__class__)
return sum([len(chunk) for chunk in self._container])
-class HttpResponseRedirect(HttpResponse):
- status_code = 302
+class HttpResponseRedirectBase(HttpResponse):
+ allowed_schemes = ['http', 'https', 'ftp']
def __init__(self, redirect_to):
- super(HttpResponseRedirect, self).__init__()
+ super(HttpResponseRedirectBase, self).__init__()
+ parsed = urlparse(redirect_to)
+ if parsed.scheme and parsed.scheme not in self.allowed_schemes:
+ raise SuspiciousOperation("Unsafe redirect to URL with scheme '%s'" % parsed.scheme)
self['Location'] = iri_to_uri(redirect_to)
-class HttpResponsePermanentRedirect(HttpResponse):
- status_code = 301
+class HttpResponseRedirect(HttpResponseRedirectBase):
+ status_code = 302
- def __init__(self, redirect_to):
- super(HttpResponsePermanentRedirect, self).__init__()
- self['Location'] = iri_to_uri(redirect_to)
+class HttpResponsePermanentRedirect(HttpResponseRedirectBase):
+ status_code = 301
class HttpResponseNotModified(HttpResponse):
status_code = 304
generated by cgit v1.3 (git 2.53.0) at 2026-05-02 01:16:54 +0000