From d6b0e58c4333f1c3277283d1e3cdf4e129d8fbbb Mon Sep 17 00:00:00 2001
From: Mark Striemer <mstriemer@mozilla.com>
Date: Thu, 21 Jul 2016 04:33:10 +0200
Subject: CVE-2016-2512: Prevented spoofing is_safe_url() with basic auth

Origin: upstream, https://github.com/django/django/commit/382ab137312961ad62feb8109d70a5a581fe8350
Bug-Debian: https://bugs.debian.org/816434
Forwarded: not-needed
Reviewed-by: Salvatore Bonaccorso <carnil@debian.org>
Last-Update: 2016-03-12
Applied-Upstream: 1.8.10
---
 django/utils/http.py           |  8 ++++++--
 tests/utils_tests/test_http.py | 12 ++++++++++++
 2 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/django/utils/http.py b/django/utils/http.py
index ef88f65..007edd4 100644
--- a/django/utils/http.py
+++ b/django/utils/http.py
@@ -274,8 +274,12 @@ def is_safe_url(url, host=None):
         url = url.strip()
     if not url:
         return False
-    # Chrome treats \ completely as /
-    url = url.replace('\\', '/')
+    # Chrome treats \ completely as / in paths but it could be part of some
+    # basic auth credentials so we need to check both URLs.
+    return _is_safe_url(url, host) and _is_safe_url(url.replace('\\', '/'), host)
+
+
+def _is_safe_url(url, host):
     # Chrome considers any URL with more than two slashes to be absolute, but
     # urlparse is not so flexible. Treat any url with three slashes as unsafe.
     if url.startswith('///'):
diff --git a/tests/utils_tests/test_http.py b/tests/utils_tests/test_http.py
index 3b367a4..c8fe0b3 100644
--- a/tests/utils_tests/test_http.py
+++ b/tests/utils_tests/test_http.py
@@ -110,6 +110,11 @@ class TestUtilsHttp(unittest.TestCase):
                         'javascript:alert("XSS")',
                         '\njavascript:alert(x)',
                         '\x08//example.com',
+                        r'http://otherserver\@example.com',
+                        r'http:\\testserver\@example.com',
+                        r'http://testserver\me:pass@example.com',
+                        r'http://testserver\@example.com',
+                        r'http:\\testserver\confirm\me@example.com',
                         '\n'):
             self.assertFalse(http.is_safe_url(bad_url, host='testserver'), "%s should be blocked" % bad_url)
         for good_url in ('/view/?param=http://example.com',
@@ -119,8 +124,15 @@ class TestUtilsHttp(unittest.TestCase):
                      'https://testserver/',
                      'HTTPS://testserver/',
                      '//testserver/',
+                     'http://testserver/confirm?email=me@example.com',
                      '/url%20with%20spaces/'):
             self.assertTrue(http.is_safe_url(good_url, host='testserver'), "%s should be allowed" % good_url)
+        # Valid basic auth credentials are allowed.
+        self.assertTrue(http.is_safe_url(r'http://user:pass@testserver/', host='user:pass@testserver'))
+        # A path without host is allowed.
+        self.assertTrue(http.is_safe_url('/confirm/me@example.com'))
+        # Basic auth without host is not allowed.
+        self.assertFalse(http.is_safe_url(r'http://testserver\@example.com'))
 
     def test_urlsafe_base64_roundtrip(self):
         bytestring = b'foo'