Opened 2 months ago

Last modified 8 weeks ago

#28638 new Cleanup/optimization

Allow `is_safe_url` to work without `allowed_hosts` or make the parameter mandatory

Reported by: kemar Owned by: nobody
Component: Utilities Version: 1.11
Severity: Normal Keywords:
Cc: Florian Apolloner Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

>>> from django.utils.http import is_safe_url

>>> is_safe_url("https://www.djangoproject.com")
False

>>> is_safe_url("https://www.djangoproject.com", allowed_hosts={"www.djangoproject.com"})
True

If this may have an impact on security, then make it clear that allowed_hosts is mandatory by removing its None default value https://github.com/django/django/blob/98706bb35e7de0e445cc336f669919047bf46b75/django/utils/http.py#L265.

Change History (4)

comment:1 Changed 2 months ago by kemar

Component: UncategorizedUtilities

comment:2 Changed 8 weeks ago by Tim Graham

Cc: Florian Apolloner added
Type: UncategorizedCleanup/optimization

The host argument has been optional since the original commit that added is_safe_url() (a2f2a399566dd68ce7e312fff5a5ba857066797d) -- now the parameter is named allowed_hosts. Django always provides that argument -- I'm not sure if there's a use case for not providing it. Did you have something in mind, Florian?

comment:3 Changed 8 weeks ago by Florian Apolloner

Not that I can think of, we could default allowed_hosts to settings.ALLOWED_HOSTS but I am not sure if that is a good idea given that we can have star in there.

comment:4 Changed 8 weeks ago by Florian Apolloner

Triage Stage: UnreviewedAccepted
Note: See TracTickets for help on using tickets.
Back to Top