1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
|
Description: Prevented reverse() from generating URLs pointing to other hosts
Backport of made by Raphaƫl Hertzog.
Origin: backport, https://github.com/django/django/commit/c2fe73133b62a1d9e8f7a6b43966570b14618d7e
Forwarded: not-needed
Author: Florian Apolloner <florian@apolloner.eu>
--- a/django/core/urlresolvers.py
+++ b/django/core/urlresolvers.py
@@ -307,6 +307,8 @@ class RegexURLResolver(object):
unicode_kwargs = dict([(k, force_unicode(v)) for (k, v) in kwargs.items()])
candidate = result % unicode_kwargs
if re.search(u'^%s' % pattern, candidate, re.UNICODE):
+ if candidate.startswith('/'):
+ candidate = '%%2F%s' % candidate[1:]
return candidate
# lookup_view can be URL label, or dotted path, or callable, Any of
# these can be passed in at the top, but callables are not friendly in
--- a/tests/regressiontests/urlpatterns_reverse/tests.py
+++ b/tests/regressiontests/urlpatterns_reverse/tests.py
@@ -106,7 +106,10 @@ test_data = (
('kwargs_view', '/arg_view/10/', [], {'arg1':10}),
('regressiontests.urlpatterns_reverse.views.absolute_kwargs_view', '/absolute_arg_view/', [], {}),
('regressiontests.urlpatterns_reverse.views.absolute_kwargs_view', '/absolute_arg_view/10/', [], {'arg1':10}),
- ('non_path_include', '/includes/non_path_include/', [], {})
+ ('non_path_include', '/includes/non_path_include/', [], {}),
+
+ # Security tests
+ ('security', '/%2Fexample.com/security/', ['/example.com'], {}),
)
--- a/tests/regressiontests/urlpatterns_reverse/urls.py
+++ b/tests/regressiontests/urlpatterns_reverse/urls.py
@@ -63,6 +63,9 @@ urlpatterns = patterns('',
url('^includes/', include(other_patterns)),
+
+ # Security tests
+ url('(.+)/security/$', empty_view, name='security'),
)
|
