id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
29525	Handle strings as allowed_hosts arguments to is_safe_url()	Przemysław Suliga	nobody	"`is_safe_url()` expects a sequence of strings as its `allowed_hosts` argument like this

{{{
>>> is_safe_url('http://example.com/abc', allowed_hosts={'example.com'})
True
}}}

When `allowed_hosts` is passed in incorrectly as a string instead of as a sequence of strings like this

{{{
>>> is_safe_url('http://good.co/evil', allowed_hosts='good.com')
True
}}}

`is_safe_url()` will return `True` for some cases which might be exploited.

Since `is_safe_url()` is not Django's public API, I decided to not go via `security@djangoproject.com`.

Proposed solution is in https://github.com/django/django/pull/10082"	Cleanup/optimization	closed	Utilities	dev	Normal	fixed		Jon Dufresne	Accepted	1	0	0	0	0	0