Description: is_safe_url() crashes with a byestring URL on Python 2
Origin: upstream, https://github.com/django/django/commit/ada7a4aefb9bec4c34667b511022be6057102f98,
 https://github.com/django/django/commit/beb392b85e71fdd41209d323126181d74090fecb
Bug: https://code.djangoproject.com/ticket/26308
Forwarded: not-needed
Author: Claude Paroz <claude@2xlibre.net>
Reviewed-by: Salvatore Bonaccorso <carnil@debian.org>
Last-Update: 2016-03-12
Applied-Upstream: 1.8.11

--- a/django/utils/http.py
+++ b/django/utils/http.py
@@ -8,7 +8,7 @@ import unicodedata
 from email.utils import formatdate
 
 from django.utils.datastructures import MultiValueDict
-from django.utils.encoding import smart_str, force_unicode
+from django.utils.encoding import smart_str, force_unicode, force_text
 from django.utils.functional import allow_lazy
 
 ETAG_MATCH = re.compile(r'(?:W/)?"((?:\\.|[^"])*)"')
@@ -237,6 +237,10 @@ def is_safe_url(url, host=None):
         url = url.strip()
     if not url:
         return False
+    try:
+         url = force_text(url)
+    except UnicodeDecodeError:
+        return False
     # Chrome treats \ completely as / in paths but it could be part of some
     # basic auth credentials so we need to check both URLs.
     return _is_safe_url(url, host) and _is_safe_url(url.replace('\\', '/'), host)
--- a/tests/regressiontests/utils/http.py
+++ b/tests/regressiontests/utils/http.py
@@ -1,3 +1,5 @@
+# -*- encoding: utf-8 -*-
+from __future__ import unicode_literals
 import sys
 
 from django.utils import http
@@ -111,3 +113,12 @@ class TestUtilsHttp(unittest.TestCase):
                      '//testserver/',
                      '/url%20with%20spaces/'):
             self.assertTrue(http.is_safe_url(good_url, host='testserver'), "%s should be allowed" % good_url)
+
+        # Check binary URLs, regression tests for #26308
+        self.assertTrue(
+            http.is_safe_url(b'https://testserver/', host='testserver'),
+            "binary URLs should be allowed on Python 2"
+        )
+        self.assertFalse(http.is_safe_url(b'\x08//example.com', host='testserver'))
+        self.assertTrue(http.is_safe_url('àview/'.encode('utf-8'), host='testserver'))
+        self.assertFalse(http.is_safe_url('àview'.encode('latin-1'), host='testserver'))
