Overview

File 0002-1.5.x-Fixed-is_safe_url-to-handle-leading-whitespace.patch of Package python-django.openSUSE_13.1_Update

From 4eec954e2ad330d7cd4429450f2d49b414bc72eb Mon Sep 17 00:00:00 2001
From: Tim Graham <timograham@gmail.com>
Date: Wed, 3 Dec 2014 16:14:00 -0500
Subject: [PATCH 2/4] [1.5.x] Fixed is_safe_url() to handle leading whitespace.
 (bnc#913054, CVE-2015-0220)

This is a security fix.
Mitigated possible XSS attack via user-supplied redirect URLs. `Full description <https://www.djangoproject.com/weblog/2015/jan/13/security/>

cherry-picked-from: 72e0b033662faa11bb7f516f18a132728aa0ae28
---
 django/utils/http.py                | 1 +
 tests/regressiontests/utils/http.py | 3 ++-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/django/utils/http.py b/django/utils/http.py
index 67912f7..f690a79 100644
--- a/django/utils/http.py
+++ b/django/utils/http.py
@@ -237,6 +237,7 @@ def is_safe_url(url, host=None):
     """
     if not url:
         return False
+    url = url.strip()
     # Chrome treats \ completely as /
     url = url.replace('\\', '/')
     # Chrome considers any URL with more than two slashes to be absolute, but
diff --git a/tests/regressiontests/utils/http.py b/tests/regressiontests/utils/http.py
index 87a6ba4..88bcfb8 100644
--- a/tests/regressiontests/utils/http.py
+++ b/tests/regressiontests/utils/http.py
@@ -109,7 +109,8 @@ class TestUtilsHttp(unittest.TestCase):
                         'http:/\//example.com',
                         'http:\/example.com',
                         'http:/\example.com',
-                        'javascript:alert("XSS")'):
+                        'javascript:alert("XSS")',
+                        '\njavascript:alert(x)'):
             self.assertFalse(http.is_safe_url(bad_url, host='testserver'), "%s should be blocked" % bad_url)
         for good_url in ('/view/?param=http://example.com',
                      '/view/?param=https://example.com',
-- 
1.8.1.4
openSUSE Build Service is sponsored by
Places