From 07e62a213b1c80d43c127a55d090b8428b7145c7 Mon Sep 17 00:00:00 2001 From: Sunil Mohan Adapa Date: Mon, 20 Sep 2021 08:43:36 -0700 Subject: [PATCH] views: Update utility for checking URL safety Django has updated the is_safe_url() method that we based our implementation on. It is now called url_has_allowed_host_and_scheme(). Our implementation remains simple as we don't allow any hostname or scheme to be set. Signed-off-by: Sunil Mohan Adapa Reviewed-by: James Valleroy --- plinth/tests/test_views.py | 21 +++++++++++++-------- plinth/views.py | 5 ++++- 2 files changed, 17 insertions(+), 9 deletions(-) diff --git a/plinth/tests/test_views.py b/plinth/tests/test_views.py index f4971a36b..08668aa13 100644 --- a/plinth/tests/test_views.py +++ b/plinth/tests/test_views.py @@ -18,14 +18,19 @@ def test_is_safe_url_valid_url(url): assert is_safe_url(url) -@pytest.mark.parametrize('url', [ - '', - None, - '\\plinth', - '///plinth', - 'https://example.com/plinth/login/', - 'https:///plinth/login', -]) +@pytest.mark.parametrize( + 'url', + [ + '', + None, + '\\plinth', + '///plinth', + 'https://example.com/plinth/login/', + 'https:///example.com', + 'https:///plinth/login', + 'ftp://example.com', + 'https://[aabb::ccdd', # Invalid IPv6 + ]) def test_is_safe_url_invalid_url(url): """Test invalid URLs for safe URL checks.""" assert not is_safe_url(url) diff --git a/plinth/views.py b/plinth/views.py index 54603236c..a0988e6e3 100644 --- a/plinth/views.py +++ b/plinth/views.py @@ -44,7 +44,10 @@ def is_safe_url(url): if '\\' in url or url.startswith('///'): return False - result = urllib.parse.urlparse(url) + try: + result = urllib.parse.urlparse(url) + except ValueError: + return False # Only accept URLs to the same site and scheme. if result.scheme or result.netloc: