commit 4c241f1b710da6419d9dca160e80b23b82db7758 Author: Tim Graham Date: Wed Dec 3 16:14:00 2014 -0500 [1.4.x] Fixed is_safe_url() to handle leading whitespace. This is a security fix. Disclosure following shortly. diff --git a/django/utils/http.py b/django/utils/http.py index 2d40489..e69a92b 100644 --- a/django/utils/http.py +++ b/django/utils/http.py @@ -234,6 +234,7 @@ def is_safe_url(url, host=None): """ if not url: return False + url = url.strip() # Chrome treats \ completely as / url = url.replace('\\', '/') # Chrome considers any URL with more than two slashes to be absolute, but diff --git a/tests/regressiontests/utils/http.py b/tests/regressiontests/utils/http.py index 802b3fa..3ec237a 100644 --- a/tests/regressiontests/utils/http.py +++ b/tests/regressiontests/utils/http.py @@ -64,7 +64,7 @@ class TestUtilsHttp(unittest.TestCase): # bad input for n in [-1, sys.maxint+1, '1', 'foo', {1:2}, (1,2,3)]: self.assertRaises(ValueError, http.int_to_base36, n) - + for n in ['#', ' ']: self.assertRaises(ValueError, http.base36_to_int, n) @@ -73,7 +73,7 @@ class TestUtilsHttp(unittest.TestCase): # non-integer input self.assertRaises(TypeError, http.int_to_base36, 3.141) - + # more explicit output testing for n, b36 in [(0, '0'), (1, '1'), (42, '16'), (818469960, 'django')]: self.assertEqual(http.int_to_base36(n), b36) @@ -97,7 +97,8 @@ class TestUtilsHttp(unittest.TestCase): 'http:/\//example.com', 'http:\/example.com', 'http:/\example.com', - 'javascript:alert("XSS")'): + 'javascript:alert("XSS")' + '\njavascript:alert(x)'): self.assertFalse(http.is_safe_url(bad_url, host='testserver'), "%s should be blocked" % bad_url) for good_url in ('/view/?param=http://example.com', '/view/?param=https://example.com',