From 2342693b31f740a422abf7267c53b4e7bc487c1b Mon Sep 17 00:00:00 2001
From: Tim Graham <timograham@gmail.com>
Date: Mon, 9 Mar 2015 20:05:13 -0400
Subject: [PATCH] [1.4.x] Made is_safe_url() reject URLs that start with
 control characters.

This is a security fix; disclosure to follow shortly.
---
 django/utils/http.py                |  9 ++++++++-
 docs/releases/1.4.20.txt            | 19 +++++++++++++++++++
 tests/regressiontests/utils/http.py |  4 +++-
 3 files changed, 30 insertions(+), 2 deletions(-)

Index: python-django-1.4.5/django/utils/http.py
===================================================================
--- python-django-1.4.5.orig/django/utils/http.py	2015-03-19 03:34:08.000000000 +0000
+++ python-django-1.4.5/django/utils/http.py	2015-03-19 05:14:23.805231220 +0000
@@ -4,6 +4,7 @@
 import sys
 import urllib
 import urlparse
+import unicodedata
 from email.utils import formatdate
 
 from django.utils.datastructures import MultiValueDict
@@ -232,9 +233,10 @@
 
     Always returns ``False`` on an empty url.
     """
+    if url is not None:
+        url = url.strip()
     if not url:
         return False
-    url = url.strip()
     # Chrome treats \ completely as /
     url = url.replace('\\', '/')
     # Chrome considers any URL with more than two slashes to be absolute, but
@@ -248,5 +250,10 @@
     # allow this syntax.
     if not url_info[1] and url_info[0]:
         return False
+    # Forbid URLs that start with control characters. Some browsers (like
+    # Chrome) ignore quite a few control characters at the start of a
+    # URL and might consider the URL as scheme relative.
+    if unicodedata.category(unicode(url[0]))[0] == 'C':
+        return False
     return (not url_info[1] or url_info[1] == host) and \
         (not url_info[0] or url_info[0] in ['http', 'https'])
Index: python-django-1.4.5/tests/regressiontests/utils/http.py
===================================================================
--- python-django-1.4.5.orig/tests/regressiontests/utils/http.py	2015-03-19 03:34:08.000000000 +0000
+++ python-django-1.4.5/tests/regressiontests/utils/http.py	2015-03-19 05:14:23.805231220 +0000
@@ -98,7 +98,9 @@
                         'http:\/example.com',
                         'http:/\example.com',
                         'javascript:alert("XSS")'
-                        '\njavascript:alert(x)'):
+                        '\njavascript:alert(x)',
+                        '\x08//example.com',
+                        '\n'):
             self.assertFalse(http.is_safe_url(bad_url, host='testserver'), "%s should be blocked" % bad_url)
         for good_url in ('/view/?param=http://example.com',
                      '/view/?param=https://example.com',