From d22b90b4eabc1fe9b7b35aada441e0edf5ebd6d8 Mon Sep 17 00:00:00 2001
From: Przemysław Suliga <mail@suligap.net>
Date: Fri, 22 Jun 2018 11:21:52 +0200
Subject: Fixed #29525 -- Allowed is_safe_url()'s allowed_hosts arg to be a
 string.

---
 django/utils/http.py | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'django/utils/http.py')

diff --git a/django/utils/http.py b/django/utils/http.py
index 4558c6874a..caaab4f9e5 100644
--- a/django/utils/http.py
+++ b/django/utils/http.py
@@ -298,6 +298,8 @@ def is_safe_url(url, allowed_hosts, require_https=False):
         return False
     if allowed_hosts is None:
         allowed_hosts = set()
+    elif isinstance(allowed_hosts, str):
+        allowed_hosts = {allowed_hosts}
     # Chrome treats \ completely as / in paths but it could be part of some
     # basic auth credentials so we need to check both URLs.
     return (_is_safe_url(url, allowed_hosts, require_https=require_https) and
-- 
cgit v1.3