RetroSearch Browse

Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Showing content from https://github.com/django/django/commit/1a274ccd6bc1afbdac80344c9b6e5810c1162b5f below:

Fixed is_safe_url() to reject URLs that use a scheme other than HTTP/S. · django/django@1a274cc · GitHub

File tree Expand file treeCollapse file tree 2 files changed

+10

-5

lines changed

Filter options

Expand file treeCollapse file tree 2 files changed

+10

-5

lines changed Original file line number Diff line number Diff line change


 @@ -328,7 +328,8 @@ def test_security_check(self, password='password'):

328 328


 for bad_url in ('http://example.com',

329 329


 'https://example.com',

330 330


 'ftp://exampel.com',

331

-
 '//example.com'):

331

+
 '//example.com',

332

+
 'javascript:alert("XSS")'):

332 333 333 334


 nasty_url = '%(url)s?%(next)s=%(bad_url)s' % {

334 335


 'url': login_url,


 @@ -349,6 +350,7 @@ def test_security_check(self, password='password'):

349 350


 '/view?param=ftp://exampel.com',

350 351


 'view/?param=//example.com',

351 352


 'https:///',

353

+
 'HTTPS:///',

352 354


 '//testserver/',

353 355


 '/url%20with%20spaces/'): # see ticket #12534

354 356


 safe_url = '%(url)s?%(next)s=%(good_url)s' % {


 @@ -522,7 +524,8 @@ def test_security_check(self, password='password'):

522 524


 for bad_url in ('http://example.com',

523 525


 'https://example.com',

524 526


 'ftp://exampel.com',

525

-
 '//example.com'):

527

+
 '//example.com',

528

+
 'javascript:alert("XSS")'):

526 529


 nasty_url = '%(url)s?%(next)s=%(bad_url)s' % {

527 530


 'url': logout_url,

528 531


 'next': REDIRECT_FIELD_NAME,


 @@ -541,6 +544,7 @@ def test_security_check(self, password='password'):

541 544


 '/view?param=ftp://exampel.com',

542 545


 'view/?param=//example.com',

543 546


 'https:///',

547

+
 'HTTPS:///',

544 548


 '//testserver/',

545 549


 '/url%20with%20spaces/'): # see ticket #12534

546 550


 safe_url = '%(url)s?%(next)s=%(good_url)s' % {

Original file line number Diff line number Diff line change


 @@ -231,11 +231,12 @@ def same_origin(url1, url2):

231 231


 def is_safe_url(url, host=None):

232 232

"""

233 233


  Return ``True`` if the url is a safe redirection (i.e. it doesn't point to

234

-
  a different host).

234

+
  a different host and uses a safe scheme).

235 235 236 236


  Always returns ``False`` on an empty url.

237 237

"""

238 238


 if not url:

239 239


 return False

240

-
 netloc = urllib_parse.urlparse(url)[1]

241

-
 return not netloc or netloc == host

240

+
 url_info = urllib_parse.urlparse(url)

241

+
 return (not url_info.netloc or url_info.netloc == host) and \

242

+
 (not url_info.scheme or url_info.scheme in ['http', 'https'])

You can’t perform that action at this time.

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4