+49
-4
lines changedFilter options
+49
-4
lines changed Original file line number Diff line number Diff line change
@@ -444,8 +444,10 @@ def test_security_check(self, password='password'):
444 444 445 445
# Those URLs should not pass the security check
446 446
for bad_url in ('http://example.com',
447 +
'http:///example.com',
447 448
'https://example.com',
448 449
'ftp://exampel.com',
450 +
'///example.com',
449 451
'//example.com',
450 452
'javascript:alert("XSS")'):
451 453
@@ -467,8 +469,8 @@ def test_security_check(self, password='password'):
467 469
'/view/?param=https://example.com',
468 470
'/view?param=ftp://exampel.com',
469 471
'view/?param=//example.com',
470 -
'https:///',
471 -
'HTTPS:///',
472 +
'https://testserver/',
473 +
'HTTPS://testserver/',
472 474
'//testserver/',
473 475
'/url%20with%20spaces/'): # see ticket #12534
474 476
safe_url = '%(url)s?%(next)s=%(good_url)s' % {
@@ -660,8 +662,10 @@ def test_security_check(self, password='password'):
660 662 661 663
# Those URLs should not pass the security check
662 664
for bad_url in ('http://example.com',
665 +
'http:///example.com',
663 666
'https://example.com',
664 667
'ftp://exampel.com',
668 +
'///example.com',
665 669
'//example.com',
666 670
'javascript:alert("XSS")'):
667 671
nasty_url = '%(url)s?%(next)s=%(bad_url)s' % {
@@ -681,8 +685,8 @@ def test_security_check(self, password='password'):
681 685
'/view/?param=https://example.com',
682 686
'/view?param=ftp://exampel.com',
683 687
'view/?param=//example.com',
684 -
'https:///',
685 -
'HTTPS:///',
688 +
'https://testserver/',
689 +
'HTTPS://testserver/',
686 690
'//testserver/',
687 691
'/url%20with%20spaces/'): # see ticket #12534
688 692
safe_url = '%(url)s?%(next)s=%(good_url)s' % {
@@ -256,6 +256,18 @@ def is_safe_url(url, host=None):
256 256
"""
257 257
if not url:
258 258
return False
259 +
# Chrome treats \ completely as /
260 +
url = url.replace('\\', '/')
261 +
# Chrome considers any URL with more than two slashes to be absolute, but
262 +
# urlaprse is not so flexible. Treat any url with three slashes as unsafe.
263 +
if url.startswith('///'):
264 +
return False
259 265
url_info = urlparse(url)
266 +
# Forbid URLs like http:///example.com - with a scheme, but without a hostname.
267 +
# In that URL, example.com is not the hostname but, a path component. However,
268 +
# Chrome will still consider example.com to be the hostname, so we must not
269 +
# allow this syntax.
270 +
if not url_info.netloc and url_info.scheme:
271 +
return False
260 272
return (not url_info.netloc or url_info.netloc == host) and \
261 273
(not url_info.scheme or url_info.scheme in ['http', 'https'])
Original file line number Diff line number Diff line change
@@ -91,6 +91,35 @@ def test_base36(self):
91 91
self.assertEqual(http.int_to_base36(n), b36)
92 92
self.assertEqual(http.base36_to_int(b36), n)
93 93 94 +
def test_is_safe_url(self):
95 +
for bad_url in ('http://example.com',
96 +
'http:///example.com',
97 +
'https://example.com',
98 +
'ftp://exampel.com',
99 +
r'\\example.com',
100 +
r'\\\example.com',
101 +
r'/\\/example.com',
102 +
r'\\\example.com',
103 +
r'\\example.com',
104 +
r'\\//example.com',
105 +
r'/\/example.com',
106 +
r'\/example.com',
107 +
r'/\example.com',
108 +
'http:///example.com',
109 +
'http:/\//example.com',
110 +
'http:\/example.com',
111 +
'http:/\example.com',
112 +
'javascript:alert("XSS")'):
113 +
self.assertFalse(http.is_safe_url(bad_url, host='testserver'), "%s should be blocked" % bad_url)
114 +
for good_url in ('/view/?param=http://example.com',
115 +
'/view/?param=https://example.com',
116 +
'/view?param=ftp://exampel.com',
117 +
'view/?param=//example.com',
118 +
'https://testserver/',
119 +
'HTTPS://testserver/',
120 +
'//testserver/',
121 +
'/url%20with%20spaces/'):
122 +
self.assertTrue(http.is_safe_url(good_url, host='testserver'), "%s should be allowed" % good_url)
94 123 95 124
class ETagProcessingTests(unittest.TestCase):
96 125
def testParsing(self):
You can’t perform that action at this time.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4