1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
|
commit c2fe73133b62a1d9e8f7a6b43966570b14618d7e
Author: Florian Apolloner <florian@apolloner.eu>
Date: Thu Jul 17 21:59:28 2014 +0200
[1.4.x] Prevented reverse() from generating URLs pointing to other hosts.
This is a security fix. Disclosure following shortly.
--- a/django/core/urlresolvers.py
+++ b/django/core/urlresolvers.py
@@ -406,6 +406,8 @@
unicode_kwargs = dict([(k, force_unicode(v)) for (k, v) in kwargs.items()])
candidate = (prefix_norm + result) % unicode_kwargs
if re.search(u'^%s%s' % (_prefix, pattern), candidate, re.UNICODE):
+ if candidate.startswith('//'):
+ candidate = '/%%2F%s' % candidate[2:]
return candidate
# lookup_view can be URL label, or dotted path, or callable, Any of
# these can be passed in at the top, but callables are not friendly in
--- a/tests/regressiontests/urlpatterns_reverse/tests.py
+++ b/tests/regressiontests/urlpatterns_reverse/tests.py
@@ -142,6 +142,9 @@
('defaults', '/defaults_view2/3/', [], {'arg1': 3, 'arg2': 2}),
('defaults', NoReverseMatch, [], {'arg1': 3, 'arg2': 3}),
('defaults', NoReverseMatch, [], {'arg2': 1}),
+
+ # Security tests
+ ('security', '/%2Fexample.com/security/', ['/example.com'], {}),
)
class NoURLPatternsTests(TestCase):
--- a/tests/regressiontests/urlpatterns_reverse/urls.py
+++ b/tests/regressiontests/urlpatterns_reverse/urls.py
@@ -71,4 +71,7 @@
(r'defaults_view2/(?P<arg1>\d+)/', 'defaults_view', {'arg2': 2}, 'defaults'),
url('^includes/', include(other_patterns)),
+
+ # Security tests
+ url('(.+)/security/$', empty_view, name='security'),
)
|
