[Python-modules-commits] [python-django] 06/10: is_safe_url() crashes with a byestring URL on Python 2

Mon Jul 25 07:57:03 UTC 2016

This is an automated email from the git hooks/post-receive script.

hertzog pushed a commit to branch debian/jessie-updates
in repository python-django.

commit 41e37f8587976b35971dcbdbd22122b2285f4810
Author: Claude Paroz <claude at 2xlibre.net>
Date:   Thu Jul 21 04:33:11 2016 +0200

    is_safe_url() crashes with a byestring URL on Python 2
    
    Origin: upstream, https://github.com/django/django/commit/ada7a4aefb9bec4c34667b511022be6057102f98,
     https://github.com/django/django/commit/beb392b85e71fdd41209d323126181d74090fecb
    Bug: https://code.djangoproject.com/ticket/26308
    Forwarded: not-needed
    Reviewed-by: Salvatore Bonaccorso <carnil at debian.org>
    Last-Update: 2016-03-12
    Applied-Upstream: 1.8.11
---
 django/utils/http.py           |  5 +++++
 tests/utils_tests/test_http.py | 13 +++++++++++++
 2 files changed, 18 insertions(+)

diff --git a/django/utils/http.py b/django/utils/http.py
index 007edd4..972760e 100644
--- a/django/utils/http.py
+++ b/django/utils/http.py
@@ -274,6 +274,11 @@ def is_safe_url(url, host=None):
         url = url.strip()
     if not url:
         return False
+    if six.PY2:
+        try:
+            url = force_text(url)
+        except UnicodeDecodeError:
+            return False
     # Chrome treats \ completely as / in paths but it could be part of some
     # basic auth credentials so we need to check both URLs.
     return _is_safe_url(url, host) and _is_safe_url(url.replace('\\', '/'), host)
diff --git a/tests/utils_tests/test_http.py b/tests/utils_tests/test_http.py
index c8fe0b3..769f163 100644
--- a/tests/utils_tests/test_http.py
+++ b/tests/utils_tests/test_http.py
@@ -1,3 +1,5 @@
+# -*- encoding: utf-8 -*-
+from __future__ import unicode_literals
 from datetime import datetime
 import sys
 import unittest
@@ -127,6 +129,17 @@ class TestUtilsHttp(unittest.TestCase):
                      'http://testserver/confirm?email=me@example.com',
                      '/url%20with%20spaces/'):
             self.assertTrue(http.is_safe_url(good_url, host='testserver'), "%s should be allowed" % good_url)
+
+        if six.PY2:
+            # Check binary URLs, regression tests for #26308
+            self.assertTrue(
+                http.is_safe_url(b'https://testserver/', host='testserver'),
+                "binary URLs should be allowed on Python 2"
+            )
+            self.assertFalse(http.is_safe_url(b'\x08//example.com', host='testserver'))
+            self.assertTrue(http.is_safe_url('àview/'.encode('utf-8'), host='testserver'))
+            self.assertFalse(http.is_safe_url('àview'.encode('latin-1'), host='testserver'))
+
         # Valid basic auth credentials are allowed.
         self.assertTrue(http.is_safe_url(r'http://user:pass@testserver/', host='user:pass at testserver'))
         # A path without host is allowed.

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/python-modules/packages/python-django.git

