author | Drew Fisher <drew.fisher@oracle.com> |
Thu, 10 Mar 2016 13:27:59 -0800 | |
changeset 5578 | fd608d60ca64 |
permissions | -rw-r--r-- |
5578
fd608d60ca64
22852949 problem in PYTHON-MOD/DJANGO
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
1 |
Patches taken from: |
fd608d60ca64
22852949 problem in PYTHON-MOD/DJANGO
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
2 |
https://github.com/django/django/commit/382ab137312961ad62feb8109d70a5a581fe8350 |
fd608d60ca64
22852949 problem in PYTHON-MOD/DJANGO
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
3 |
https://github.com/django/django/commit/552f03869ea7f3072b3fa19ffb6cb2d957fd8447 |
fd608d60ca64
22852949 problem in PYTHON-MOD/DJANGO
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
4 |
|
fd608d60ca64
22852949 problem in PYTHON-MOD/DJANGO
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
5 |
This is fixed in Django 1.8.11 and 1.9.4 |
fd608d60ca64
22852949 problem in PYTHON-MOD/DJANGO
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
6 |
|
fd608d60ca64
22852949 problem in PYTHON-MOD/DJANGO
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
7 |
--- Django-1.4.22/django/utils/http.py.orig 2016-03-09 19:31:50.474600452 -0800 |
fd608d60ca64
22852949 problem in PYTHON-MOD/DJANGO
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
8 |
+++ Django-1.4.22/django/utils/http.py 2016-03-09 19:37:10.433043007 -0800 |
fd608d60ca64
22852949 problem in PYTHON-MOD/DJANGO
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
9 |
@@ -7,8 +7,9 @@ import urlparse |
fd608d60ca64
22852949 problem in PYTHON-MOD/DJANGO
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
10 |
import unicodedata |
fd608d60ca64
22852949 problem in PYTHON-MOD/DJANGO
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
11 |
from email.utils import formatdate |
fd608d60ca64
22852949 problem in PYTHON-MOD/DJANGO
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
12 |
|
fd608d60ca64
22852949 problem in PYTHON-MOD/DJANGO
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
13 |
+from django.utils import six |
fd608d60ca64
22852949 problem in PYTHON-MOD/DJANGO
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
14 |
from django.utils.datastructures import MultiValueDict |
fd608d60ca64
22852949 problem in PYTHON-MOD/DJANGO
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
15 |
-from django.utils.encoding import smart_str, force_unicode |
fd608d60ca64
22852949 problem in PYTHON-MOD/DJANGO
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
16 |
+from django.utils.encoding import smart_str, force_unicode, force_text |
fd608d60ca64
22852949 problem in PYTHON-MOD/DJANGO
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
17 |
from django.utils.functional import allow_lazy |
fd608d60ca64
22852949 problem in PYTHON-MOD/DJANGO
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
18 |
|
fd608d60ca64
22852949 problem in PYTHON-MOD/DJANGO
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
19 |
ETAG_MATCH = re.compile(r'(?:W/)?"((?:\\.|[^"])*)"') |
fd608d60ca64
22852949 problem in PYTHON-MOD/DJANGO
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
20 |
@@ -237,8 +238,16 @@ def is_safe_url(url, host=None): |
fd608d60ca64
22852949 problem in PYTHON-MOD/DJANGO
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
21 |
url = url.strip() |
fd608d60ca64
22852949 problem in PYTHON-MOD/DJANGO
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
22 |
if not url: |
fd608d60ca64
22852949 problem in PYTHON-MOD/DJANGO
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
23 |
return False |
fd608d60ca64
22852949 problem in PYTHON-MOD/DJANGO
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
24 |
- # Chrome treats \ completely as / |
fd608d60ca64
22852949 problem in PYTHON-MOD/DJANGO
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
25 |
- url = url.replace('\\', '/') |
fd608d60ca64
22852949 problem in PYTHON-MOD/DJANGO
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
26 |
+ if six.PY2: |
fd608d60ca64
22852949 problem in PYTHON-MOD/DJANGO
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
27 |
+ try: |
fd608d60ca64
22852949 problem in PYTHON-MOD/DJANGO
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
28 |
+ url = force_text(url) |
fd608d60ca64
22852949 problem in PYTHON-MOD/DJANGO
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
29 |
+ except UnicodeDecodeError: |
fd608d60ca64
22852949 problem in PYTHON-MOD/DJANGO
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
30 |
+ return False |
fd608d60ca64
22852949 problem in PYTHON-MOD/DJANGO
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
31 |
+ # Chrome treats \ completely as / in paths but it could be part of some |
fd608d60ca64
22852949 problem in PYTHON-MOD/DJANGO
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
32 |
+ # basic auth credentials so we need to check both URLs. |
fd608d60ca64
22852949 problem in PYTHON-MOD/DJANGO
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
33 |
+ return _is_safe_url(url, host) and _is_safe_url(url.replace('\\', '/'), host) |
fd608d60ca64
22852949 problem in PYTHON-MOD/DJANGO
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
34 |
+ |
fd608d60ca64
22852949 problem in PYTHON-MOD/DJANGO
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
35 |
+def _is_safe_url(url, host): |
fd608d60ca64
22852949 problem in PYTHON-MOD/DJANGO
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
36 |
# Chrome considers any URL with more than two slashes to be absolute, but |
fd608d60ca64
22852949 problem in PYTHON-MOD/DJANGO
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
37 |
# urlaprse is not so flexible. Treat any url with three slashes as unsafe. |
fd608d60ca64
22852949 problem in PYTHON-MOD/DJANGO
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
38 |
if url.startswith('///'): |
fd608d60ca64
22852949 problem in PYTHON-MOD/DJANGO
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
39 |
|
fd608d60ca64
22852949 problem in PYTHON-MOD/DJANGO
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
40 |
|
fd608d60ca64
22852949 problem in PYTHON-MOD/DJANGO
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
41 |
--- Django-1.4.22/tests/regressiontests/utils/http.py.orig 2016-03-09 19:40:41.664196629 -0800 |
fd608d60ca64
22852949 problem in PYTHON-MOD/DJANGO
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
42 |
+++ Django-1.4.22/tests/regressiontests/utils/http.py 2016-03-09 19:42:38.347335015 -0800 |
fd608d60ca64
22852949 problem in PYTHON-MOD/DJANGO
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
43 |
@@ -1,3 +1,6 @@ |
fd608d60ca64
22852949 problem in PYTHON-MOD/DJANGO
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
44 |
+# -*- encoding: utf-8 -*- |
fd608d60ca64
22852949 problem in PYTHON-MOD/DJANGO
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
45 |
+from __future__ import unicode_literals |
fd608d60ca64
22852949 problem in PYTHON-MOD/DJANGO
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
46 |
+ |
fd608d60ca64
22852949 problem in PYTHON-MOD/DJANGO
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
47 |
import sys |
fd608d60ca64
22852949 problem in PYTHON-MOD/DJANGO
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
48 |
|
fd608d60ca64
22852949 problem in PYTHON-MOD/DJANGO
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
49 |
from django.utils import http |
fd608d60ca64
22852949 problem in PYTHON-MOD/DJANGO
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
50 |
@@ -100,6 +103,11 @@ class TestUtilsHttp(unittest.TestCase): |
fd608d60ca64
22852949 problem in PYTHON-MOD/DJANGO
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
51 |
'javascript:alert("XSS")' |
fd608d60ca64
22852949 problem in PYTHON-MOD/DJANGO
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
52 |
'\njavascript:alert(x)', |
fd608d60ca64
22852949 problem in PYTHON-MOD/DJANGO
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
53 |
'\x08//example.com', |
fd608d60ca64
22852949 problem in PYTHON-MOD/DJANGO
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
54 |
+ r'http://otherserver\@example.com', |
fd608d60ca64
22852949 problem in PYTHON-MOD/DJANGO
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
55 |
+ r'http:\\testserver\@example.com', |
fd608d60ca64
22852949 problem in PYTHON-MOD/DJANGO
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
56 |
+ r'http://testserver\me:[email protected]', |
fd608d60ca64
22852949 problem in PYTHON-MOD/DJANGO
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
57 |
+ r'http://testserver\@example.com', |
fd608d60ca64
22852949 problem in PYTHON-MOD/DJANGO
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
58 |
+ r'http:\\testserver\confirm\[email protected]', |
fd608d60ca64
22852949 problem in PYTHON-MOD/DJANGO
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
59 |
'\n'): |
fd608d60ca64
22852949 problem in PYTHON-MOD/DJANGO
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
60 |
self.assertFalse(http.is_safe_url(bad_url, host='testserver'), "%s should be blocked" % bad_url) |
fd608d60ca64
22852949 problem in PYTHON-MOD/DJANGO
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
61 |
for good_url in ('/view/?param=http://example.com', |
fd608d60ca64
22852949 problem in PYTHON-MOD/DJANGO
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
62 |
@@ -109,5 +117,14 @@ class TestUtilsHttp(unittest.TestCase): |
fd608d60ca64
22852949 problem in PYTHON-MOD/DJANGO
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
63 |
'https://testserver/', |
fd608d60ca64
22852949 problem in PYTHON-MOD/DJANGO
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
64 |
'HTTPS://testserver/', |
fd608d60ca64
22852949 problem in PYTHON-MOD/DJANGO
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
65 |
'//testserver/', |
fd608d60ca64
22852949 problem in PYTHON-MOD/DJANGO
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
66 |
+ 'http://testserver/[email protected]', |
fd608d60ca64
22852949 problem in PYTHON-MOD/DJANGO
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
67 |
'/url%20with%20spaces/'): |
fd608d60ca64
22852949 problem in PYTHON-MOD/DJANGO
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
68 |
self.assertTrue(http.is_safe_url(good_url, host='testserver'), "%s should be allowed" % good_url) |
fd608d60ca64
22852949 problem in PYTHON-MOD/DJANGO
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
69 |
+ self.assertFalse(http.is_safe_url('àview'.encode('latin-1'), host='testserver')) |
fd608d60ca64
22852949 problem in PYTHON-MOD/DJANGO
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
70 |
+ |
fd608d60ca64
22852949 problem in PYTHON-MOD/DJANGO
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
71 |
+ # Valid basic auth credentials are allowed. |
fd608d60ca64
22852949 problem in PYTHON-MOD/DJANGO
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
72 |
+ self.assertTrue(http.is_safe_url(r'http://user:pass@testserver/', host='user:pass@testserver')) |
fd608d60ca64
22852949 problem in PYTHON-MOD/DJANGO
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
73 |
+ # A path without host is allowed. |
fd608d60ca64
22852949 problem in PYTHON-MOD/DJANGO
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
74 |
+ self.assertTrue(http.is_safe_url('/confirm/[email protected]')) |
fd608d60ca64
22852949 problem in PYTHON-MOD/DJANGO
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
75 |
+ # Basic auth without host is not allowed. |
fd608d60ca64
22852949 problem in PYTHON-MOD/DJANGO
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
76 |
+ self.assertFalse(http.is_safe_url(r'http://testserver\@example.com')) |