File: CVE-2015-0220.diff

package info (click to toggle)
python-django 1.2.3-3%2Bsqueeze15
  • links: PTS, VCS
  • area: main
  • in suites: squeeze-lts
  • size: 29,720 kB
  • ctags: 21,538
  • sloc: python: 101,631; xml: 574; makefile: 149; sh: 121; sql: 7
file content (17 lines) | stat: -rw-r--r-- 632 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
 
Author: Tim Graham <timograham@gmail.com>
Date:   Wed Dec 3 16:14:00 2014 -0500
Subject: Fixed is_safe_url() to handle leading whitespace.
    
    This is a security fix. Disclosure following shortly.

Origin: backport, https://github.com/django/django/commit/4c241f1b710da6419d9dca160e80b23b82db7758
--- a/django/utils/http.py
+++ b/django/utils/http.py
@@ -132,6 +132,7 @@ def is_safe_url(url, host=None):
     """
     if not url:
         return False
+    url = url.strip()
     # Chrome treats \ completely as /
     url = url.replace('\\', '/')
     # Chrome considers any URL with more than two slashes to be absolute, but