RetroSearch Browse

Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Showing content from https://github.com/django/django/commit/7feb54bbae3f637ab3c4dd4831d4385964f574df below:

[1.4.x] Added additional checks in is_safe_url to account for flexibl… · django/django@7feb54b · GitHub

File tree Expand file treeCollapse file tree 3 files changed

+50

-4

lines changed

Filter options

tests/regressiontests/utils

Expand file treeCollapse file tree 3 files changed

+50

-4

lines changed Original file line number Diff line number Diff line change


 @@ -307,8 +307,10 @@ def test_security_check(self, password='password'):

307 307 308 308


 # Those URLs should not pass the security check

309 309


 for bad_url in ('http://example.com',

310

+
 'http:///example.com',

310 311


 'https://example.com',

311 312


 'ftp://exampel.com',

313

+
 '///example.com',

312 314


 '//example.com',

313 315


 'javascript:alert("XSS")'):

314 316


 @@ -330,8 +332,8 @@ def test_security_check(self, password='password'):

330 332


 '/view/?param=https://example.com',

331 333


 '/view?param=ftp://exampel.com',

332 334


 'view/?param=//example.com',

333

-
 'https:///',

334

-
 'HTTPS:///',

335

+
 'https://testserver/',

336

+
 'HTTPS://testserver/',

335 337


 '//testserver/',

336 338


 '/url%20with%20spaces/'): # see ticket #12534

337 339


 safe_url = '%(url)s?%(next)s=%(good_url)s' % {


 @@ -467,8 +469,10 @@ def test_security_check(self, password='password'):

467 469 468 470


 # Those URLs should not pass the security check

469 471


 for bad_url in ('http://example.com',

472

+
 'http:///example.com',

470 473


 'https://example.com',

471 474


 'ftp://exampel.com',

475

+
 '///example.com',

472 476


 '//example.com',

473 477


 'javascript:alert("XSS")'):

474 478


 nasty_url = '%(url)s?%(next)s=%(bad_url)s' % {


 @@ -488,8 +492,8 @@ def test_security_check(self, password='password'):

488 492


 '/view/?param=https://example.com',

489 493


 '/view?param=ftp://exampel.com',

490 494


 'view/?param=//example.com',

491

-
 'https:///',

492

-
 'HTTPS:///',

495

+
 'https://testserver/',

496

+
 'HTTPS://testserver/',

493 497


 '//testserver/',

494 498


 '/url%20with%20spaces/'): # see ticket #12534

495 499


 safe_url = '%(url)s?%(next)s=%(good_url)s' % {

Original file line number Diff line number Diff line change


 @@ -234,6 +234,18 @@ def is_safe_url(url, host=None):

234 234

"""

235 235


 if not url:

236 236


 return False

237

+
 # Chrome treats \ completely as /

238

+
 url = url.replace('\\', '/')

239

+
 # Chrome considers any URL with more than two slashes to be absolute, but

240

+
 # urlaprse is not so flexible. Treat any url with three slashes as unsafe.

241

+
 if url.startswith('///'):

242

+
 return False

237 243


 url_info = urlparse.urlparse(url)

244

+
 # Forbid URLs like http:///example.com - with a scheme, but without a hostname.

245

+
 # In that URL, example.com is not the hostname but, a path component. However,

246

+
 # Chrome will still consider example.com to be the hostname, so we must not

247

+
 # allow this syntax.

248

+
 if not url_info[1] and url_info[0]:

249

+
 return False

238 250


 return (not url_info[1] or url_info[1] == host) and \

239 251


 (not url_info[0] or url_info[0] in ['http', 'https'])

Original file line number Diff line number Diff line change


 @@ -78,3 +78,33 @@ def test_base36(self):

78 78


 for n, b36 in [(0, '0'), (1, '1'), (42, '16'), (818469960, 'django')]:

79 79


 self.assertEqual(http.int_to_base36(n), b36)

80 80


 self.assertEqual(http.base36_to_int(b36), n)

81 + 82

+
 def test_is_safe_url(self):

83

+
 for bad_url in ('http://example.com',

84

+
 'http:///example.com',

85

+
 'https://example.com',

86

+
 'ftp://exampel.com',

87

+
 r'\\example.com',

88

+
 r'\\\example.com',

89

+
 r'/\\/example.com',

90

+
 r'\\\example.com',

91

+
 r'\\example.com',

92

+
 r'\\//example.com',

93

+
 r'/\/example.com',

94

+
 r'\/example.com',

95

+
 r'/\example.com',

96

+
 'http:///example.com',

97

+
 'http:/\//example.com',

98

+
 'http:\/example.com',

99

+
 'http:/\example.com',

100

+
 'javascript:alert("XSS")'):

101

+
 self.assertFalse(http.is_safe_url(bad_url, host='testserver'), "%s should be blocked" % bad_url)

102

+
 for good_url in ('/view/?param=http://example.com',

103

+
 '/view/?param=https://example.com',

104

+
 '/view?param=ftp://exampel.com',

105

+
 'view/?param=//example.com',

106

+
 'https://testserver/',

107

+
 'HTTPS://testserver/',

108

+
 '//testserver/',

109

+
 '/url%20with%20spaces/'):

110

+
 self.assertTrue(http.is_safe_url(good_url, host='testserver'), "%s should be allowed" % good_url)

You can’t perform that action at this time.

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4