RetroSearch Browse

Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Showing content from https://github.com/django/django/commit/e7b0cace455c2da24492660636bfd48c45a19cdf below:

[1.7.x] Added additional checks in is_safe_url to account for flexibl… · django/django@e7b0cac · GitHub

File tree Expand file treeCollapse file tree 3 files changed

+50

-4

lines changed

Filter options

Expand file treeCollapse file tree 3 files changed

+50

-4

lines changed Original file line number Diff line number Diff line change


 @@ -483,8 +483,10 @@ def test_security_check(self, password='password'):

483 483 484 484


 # Those URLs should not pass the security check

485 485


 for bad_url in ('http://example.com',

486

+
 'http:///example.com',

486 487


 'https://example.com',

487 488


 'ftp://exampel.com',

489

+
 '///example.com',

488 490


 '//example.com',

489 491


 'javascript:alert("XSS")'):

490 492


 @@ -506,8 +508,8 @@ def test_security_check(self, password='password'):

506 508


 '/view/?param=https://example.com',

507 509


 '/view?param=ftp://exampel.com',

508 510


 'view/?param=//example.com',

509

-
 'https:///',

510

-
 'HTTPS:///',

511

+
 'https://testserver/',

512

+
 'HTTPS://testserver/',

511 513


 '//testserver/',

512 514


 '/url%20with%20spaces/'): # see ticket #12534

513 515


 safe_url = '%(url)s?%(next)s=%(good_url)s' % {


 @@ -744,8 +746,10 @@ def test_security_check(self, password='password'):

744 746 745 747


 # Those URLs should not pass the security check

746 748


 for bad_url in ('http://example.com',

749

+
 'http:///example.com',

747 750


 'https://example.com',

748 751


 'ftp://exampel.com',

752

+
 '///example.com',

749 753


 '//example.com',

750 754


 'javascript:alert("XSS")'):

751 755


 nasty_url = '%(url)s?%(next)s=%(bad_url)s' % {


 @@ -765,8 +769,8 @@ def test_security_check(self, password='password'):

765 769


 '/view/?param=https://example.com',

766 770


 '/view?param=ftp://exampel.com',

767 771


 'view/?param=//example.com',

768

-
 'https:///',

769

-
 'HTTPS:///',

772

+
 'https://testserver/',

773

+
 'HTTPS://testserver/',

770 774


 '//testserver/',

771 775


 '/url%20with%20spaces/'): # see ticket #12534

772 776


 safe_url = '%(url)s?%(next)s=%(good_url)s' % {

Original file line number Diff line number Diff line change


 @@ -272,6 +272,18 @@ def is_safe_url(url, host=None):

272 272

"""

273 273


 if not url:

274 274


 return False

275

+
 # Chrome treats \ completely as /

276

+
 url = url.replace('\\', '/')

277

+
 # Chrome considers any URL with more than two slashes to be absolute, but

278

+
 # urlaprse is not so flexible. Treat any url with three slashes as unsafe.

279

+
 if url.startswith('///'):

280

+
 return False

275 281


 url_info = urlparse(url)

282

+
 # Forbid URLs like http:///example.com - with a scheme, but without a hostname.

283

+
 # In that URL, example.com is not the hostname but, a path component. However,

284

+
 # Chrome will still consider example.com to be the hostname, so we must not

285

+
 # allow this syntax.

286

+
 if not url_info.netloc and url_info.scheme:

287

+
 return False

276 288


 return ((not url_info.netloc or url_info.netloc == host) and

277 289


 (not url_info.scheme or url_info.scheme in ['http', 'https']))

Original file line number Diff line number Diff line change


 @@ -89,6 +89,36 @@ def test_base36(self):

89 89


 self.assertEqual(http.int_to_base36(n), b36)

90 90


 self.assertEqual(http.base36_to_int(b36), n)

91 91 92

+
 def test_is_safe_url(self):

93

+
 for bad_url in ('http://example.com',

94

+
 'http:///example.com',

95

+
 'https://example.com',

96

+
 'ftp://exampel.com',

97

+
 r'\\example.com',

98

+
 r'\\\example.com',

99

+
 r'/\\/example.com',

100

+
 r'\\\example.com',

101

+
 r'\\example.com',

102

+
 r'\\//example.com',

103

+
 r'/\/example.com',

104

+
 r'\/example.com',

105

+
 r'/\example.com',

106

+
 'http:///example.com',

107

+
 'http:/\//example.com',

108

+
 'http:\/example.com',

109

+
 'http:/\example.com',

110

+
 'javascript:alert("XSS")'):

111

+
 self.assertFalse(http.is_safe_url(bad_url, host='testserver'), "%s should be blocked" % bad_url)

112

+
 for good_url in ('/view/?param=http://example.com',

113

+
 '/view/?param=https://example.com',

114

+
 '/view?param=ftp://exampel.com',

115

+
 'view/?param=//example.com',

116

+
 'https://testserver/',

117

+
 'HTTPS://testserver/',

118

+
 '//testserver/',

119

+
 '/url%20with%20spaces/'):

120

+
 self.assertTrue(http.is_safe_url(good_url, host='testserver'), "%s should be allowed" % good_url)

121 + 92 122 93 123


 class ETagProcessingTests(unittest.TestCase):

94 124


 def testParsing(self):

You can’t perform that action at this time.

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4