Add `secure` argument to `is_safe_url()`

[Przemysław Suliga]

django.utils.http.is_safe_url() considers any HTTP and HTTPS url safe as long as its hostname matches the host argument. Currently this is true: is_safe_url('http://example.com', host='example.com').

Let's add a secure argument to is_safe_url() so that when it's True, only HTTPS is considered as a safe scheme.

The existence of that argument alone would make users aware of potential issues that can arise from ignoring it. For example if a developer uses is_safe_url() to validate user supplied urls for redirection to a target with appended secrets as url query params.

django.contrib.admin uses django.contrib.auth login view where is_safe_url() is used to validate the next query param. This scenario is currently possible:

• user goes to ​https://example.net/admin/login/?next=http://example.net/admin/foo
• they enter their credentials and POST to the above url
• They're successfully authenticated, they receive a response with a new session cookie and are redirected to ​http://example.net/admin/foo

Of course our HTTPS site should only set Secure session cookies and use HSTS, so there should be no possibility of the the cookie being sent by the user via HTTP. But if the site doesn't set secure cookies and doesn't use HSTS, this is a problem. If the site doesn't use secure cookies in the first place, then the secure param to is_safe_url() won't help much.. but I would argue it still makes the validation more "complete".

[Tim Graham]

​PR

[Berker Peksag]

​PR #6923 looks good to me. I just left two minor comments about the PR.

[Tim Graham <timograham@…>]

In 5e5a1702:

Fixed #26902 -- Allowed is_safe_url() to require an https URL.

Thanks Andrew Nester, Berker Peksag, and Tim Graham for reviews.

[Tim Graham <timograham@…>]

In 549b90fa:

Refs #26902 -- Protected against insecure redirects in Login/LogoutView.

[Tim Graham <timograham@…>]

In 1f68bb56:

Refs #26902 -- Protected against insecure redirects in set_language().