File: CVE-2016-2512-regression.diff

package info (click to toggle)
python-django 1.4.5-1%2Bdeb7u16
  • links: PTS, VCS
  • area: main
  • in suites: wheezy
  • size: 44,168 kB
  • sloc: python: 140,205; xml: 659; makefile: 160; sh: 145; sql: 7
file content (53 lines) | stat: -rw-r--r-- 2,288 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
 
Description: is_safe_url() crashes with a byestring URL on Python 2
Origin: upstream, https://github.com/django/django/commit/ada7a4aefb9bec4c34667b511022be6057102f98,
 https://github.com/django/django/commit/beb392b85e71fdd41209d323126181d74090fecb
Bug: https://code.djangoproject.com/ticket/26308
Forwarded: not-needed
Author: Claude Paroz <claude@2xlibre.net>
Reviewed-by: Salvatore Bonaccorso <carnil@debian.org>
Last-Update: 2016-03-12
Applied-Upstream: 1.8.11

--- a/django/utils/http.py
+++ b/django/utils/http.py
@@ -8,7 +8,7 @@ import unicodedata
 from email.utils import formatdate
 
 from django.utils.datastructures import MultiValueDict
-from django.utils.encoding import smart_str, force_unicode
+from django.utils.encoding import smart_str, force_unicode, force_text
 from django.utils.functional import allow_lazy
 
 ETAG_MATCH = re.compile(r'(?:W/)?"((?:\\.|[^"])*)"')
@@ -237,6 +237,10 @@ def is_safe_url(url, host=None):
         url = url.strip()
     if not url:
         return False
+    try:
+         url = force_text(url)
+    except UnicodeDecodeError:
+        return False
     # Chrome treats \ completely as / in paths but it could be part of some
     # basic auth credentials so we need to check both URLs.
     return _is_safe_url(url, host) and _is_safe_url(url.replace('\\', '/'), host)
--- a/tests/regressiontests/utils/http.py
+++ b/tests/regressiontests/utils/http.py
@@ -1,3 +1,5 @@
+# -*- encoding: utf-8 -*-
+from __future__ import unicode_literals
 import sys
 
 from django.utils import http
@@ -111,3 +113,12 @@ class TestUtilsHttp(unittest.TestCase):
                      '//testserver/',
                      '/url%20with%20spaces/'):
             self.assertTrue(http.is_safe_url(good_url, host='testserver'), "%s should be allowed" % good_url)
+
+        # Check binary URLs, regression tests for #26308
+        self.assertTrue(
+            http.is_safe_url(b'https://testserver/', host='testserver'),
+            "binary URLs should be allowed on Python 2"
+        )
+        self.assertFalse(http.is_safe_url(b'\x08//example.com', host='testserver'))
+        self.assertTrue(http.is_safe_url('àview/'.encode('utf-8'), host='testserver'))
+        self.assertFalse(http.is_safe_url('àview'.encode('latin-1'), host='testserver'))