Opened 10 years ago

Closed 10 years ago

Last modified 10 years ago

#24321 closed Bug (fixed)

`utils.http.same_origin` doesn't comply with RFC6454

Reported by: Lukas Klein Owned by: nobody
Component: Utilities Version: dev
Severity: Normal Keywords:
Cc: Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description (last modified by Lukas Klein)

According to RFC6454 (http://tools.ietf.org/html/rfc6454#section-3.2.1) this should both be true:

>>> from django.utils.http import same_origin
>>> same_origin('http://google.com', 'http://google.com')
True
>>> same_origin('http://google.com', 'http://google.com:80')
False

Quote:

All of the following resources have the same origin:

http://example.com/
http://example.com:80/
http://example.com/path/file

Each of the URIs has the same scheme, host, and port components.

Django's same_origin uses the standard urllib, which will return an empty port if none is explicitly specified.

My suggestion (see GitHub pull request: https://github.com/django/django/pull/4108) is to extend same_origin to use a protocol-to-port-mapping if no port is explicitly declared.

Change History (5)

comment:1 by Lukas Klein, 10 years ago

Description: modified (diff)

comment:2 by Berker Peksag, 10 years ago

Triage Stage: UnreviewedAccepted

comment:3 by Claude Paroz, 10 years ago

Triage Stage: AcceptedReady for checkin

comment:4 by Claude Paroz <claude@…>, 10 years ago

Resolution: fixed
Status: newclosed

In 93b3ef9b2e191101c1a49b332d042864df74a658:

Fixed #24321 -- Improved utils.http.same_origin compliance with RFC6454

comment:5 by Claude Paroz <claude@…>, 10 years ago

In 1904022f91d0e987d972359d98993422db11ab3f:

[1.8.x] Fixed #24321 -- Improved utils.http.same_origin compliance with RFC6454

Backport of 93b3ef9b2e from master.

Note: See TracTickets for help on using tickets.
Back to Top