diff options
author | Michael Manfre <mike@manfre.net> | 2022-06-29 20:39:51 -0400 |
---|---|---|
committer | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2022-07-01 08:48:38 +0200 |
commit | 03eec9ff6cc78e7c1bcf88bb76ecd11f0d433c72 (patch) | |
tree | c9ad05e93f1ce711e13e72bda616367988f453a5 /tests/utils_tests | |
parent | 5c93a84f44054034f495267ff2400a5de69a4fc1 (diff) | |
download | django-03eec9ff6cc78e7c1bcf88bb76ecd11f0d433c72.tar.gz |
Updated vendored _urlsplit() to strip newline and tabs.
Refs Python CVE-2022-0391. Django is not affected, but others who
incorrectly use internal function url_has_allowed_host_and_scheme()
with unsanitized input could be at risk.
Diffstat (limited to 'tests/utils_tests')
-rw-r--r-- | tests/utils_tests/test_http.py | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/tests/utils_tests/test_http.py b/tests/utils_tests/test_http.py index b2754b4ddb..9978c7bb52 100644 --- a/tests/utils_tests/test_http.py +++ b/tests/utils_tests/test_http.py @@ -177,6 +177,7 @@ class URLHasAllowedHostAndSchemeTests(unittest.TestCase): r"http:/\example.com", 'javascript:alert("XSS")', "\njavascript:alert(x)", + "java\nscript:alert(x)", "\x08//example.com", r"http://otherserver\@example.com", r"http:\\testserver\@example.com", |