Attachment 895338 Details for Bug 1097505 – upstream fix

[patch] upstream fix

is_safe_url.diff (text/plain), 5.18 KB, created by Murray McAllister on 2014-05-14 03:32:56 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Murray McAllister

Created: 2014-05-14 03:32:56 UTC

Size: 5.18 KB

patch

obsolete

>diff --git a/django/contrib/auth/tests/test_views.py b/django/contrib/auth/tests/test_views.py
>index c9df787..f7a99a6 100644
>--- a/django/contrib/auth/tests/test_views.py
>+++ b/django/contrib/auth/tests/test_views.py
>@@ -464,8 +464,10 @@ class LoginTest(AuthViewsTestCase):
> 
>         # Those URLs should not pass the security check
>         for bad_url in ('http://example.com',
>+                        'http:///example.com',
>                         'https://example.com',
>                         'ftp://exampel.com',
>+                        '///example.com',
>                         '//example.com',
>                         'javascript:alert("XSS")'):
> 
>@@ -487,8 +489,8 @@ class LoginTest(AuthViewsTestCase):
>                          '/view/?param=https://example.com',
>                          '/view?param=ftp://exampel.com',
>                          'view/?param=//example.com',
>-                         'https:///',
>-                         'HTTPS:///',
>+                         'https://testserver/',
>+                         'HTTPS://testserver/',
>                          '//testserver/',
>                          '/url%20with%20spaces/'):  # see ticket #12534
>             safe_url = '%(url)s?%(next)s=%(good_url)s' % {
>@@ -679,8 +681,10 @@ class LogoutTest(AuthViewsTestCase):
> 
>         # Those URLs should not pass the security check
>         for bad_url in ('http://example.com',
>+                        'http:///example.com',
>                         'https://example.com',
>                         'ftp://exampel.com',
>+                        '///example.com',
>                         '//example.com',
>                         'javascript:alert("XSS")'):
>             nasty_url = '%(url)s?%(next)s=%(bad_url)s' % {
>@@ -700,8 +704,8 @@ class LogoutTest(AuthViewsTestCase):
>                          '/view/?param=https://example.com',
>                          '/view?param=ftp://exampel.com',
>                          'view/?param=//example.com',
>-                         'https:///',
>-                         'HTTPS:///',
>+                         'https://testserver/',
>+                         'HTTPS://testserver/',
>                          '//testserver/',
>                          '/url%20with%20spaces/'):  # see ticket #12534
>             safe_url = '%(url)s?%(next)s=%(good_url)s' % {
>diff --git a/django/utils/http.py b/django/utils/http.py
>index e336577..28245d2 100644
>--- a/django/utils/http.py
>+++ b/django/utils/http.py
>@@ -272,6 +272,18 @@ def is_safe_url(url, host=None):
>     """
>     if not url:
>         return False
>+    # Chrome treats \ completely as /
>+    url = url.replace('\\', '/')
>+    # Chrome considers any URL with more than two slashes to be absolute, but
>+    # urlaprse is not so flexible. Treat any url with three slashes as unsafe.
>+    if url.startswith('///'):
>+        return False
>     url_info = urlparse(url)
>+    # Forbid URLs like http:///example.com - with a scheme, but without a hostname.
>+    # In that URL, example.com is not the hostname but, a path component. However,
>+    # Chrome will still consider example.com to be the hostname, so we must not
>+    # allow this syntax.
>+    if not url_info.netloc and url_info.scheme:
>+        return False
>     return ((not url_info.netloc or url_info.netloc == host) and
>             (not url_info.scheme or url_info.scheme in ['http', 'https']))
>diff --git a/tests/utils_tests/test_http.py b/tests/utils_tests/test_http.py
>index 9f6bcce..2da9c03 100644
>--- a/tests/utils_tests/test_http.py
>+++ b/tests/utils_tests/test_http.py
>@@ -135,6 +135,35 @@ class TestUtilsHttp(unittest.TestCase):
>             self.assertEqual(http.int_to_base36(n), b36)
>             self.assertEqual(http.base36_to_int(b36), n)
> 
>+    def test_is_safe_url(self):
>+        for bad_url in ('http://example.com',
>+                        'http:///example.com',
>+                        'https://example.com',
>+                        'ftp://exampel.com',
>+                        r'\\example.com',
>+                        r'\\\example.com',
>+                        r'/\\/example.com',
>+                        r'\\\example.com',
>+                        r'\\example.com',
>+                        r'\\//example.com',
>+                        r'/\/example.com',
>+                        r'\/example.com',
>+                        r'/\example.com',
>+                        'http:///example.com',
>+                        'http:/\//example.com',
>+                        'http:\/example.com',
>+                        'http:/\example.com',
>+                        'javascript:alert("XSS")'):
>+            self.assertFalse(http.is_safe_url(bad_url, host='testserver'), "%s should be blocked" % bad_url)
>+        for good_url in ('/view/?param=http://example.com',
>+                     '/view/?param=https://example.com',
>+                     '/view?param=ftp://exampel.com',
>+                     'view/?param=//example.com',
>+                     'https://testserver/',
>+                     'HTTPS://testserver/',
>+                     '//testserver/',
>+                     '/url%20with%20spaces/'):
>+            self.assertTrue(http.is_safe_url(good_url, host='testserver'), "%s should be allowed" % good_url)
> 
> class ETagProcessingTests(unittest.TestCase):
>     def testParsing(self):

Actions: View | Diff

Attachments on bug 1097505: 895338 | 895339 | 895340 | 895342