is_safe_url: Use allowed_hosts instead of depreciated host argument.

Judging by comparing django 1.11 with django 2.2 code of this function, this shouldn't change any behavior.
2020-02-04 14:42:03 +01:00 · 2020-02-04 14:42:03 +01:00 · 0e7c97378e
parent bc062e1c4d
commit 0e7c97378e
2 changed files with 4 additions and 4 deletions
--- a/zerver/lib/thumbnail.py
+++ b/zerver/lib/thumbnail.py
@ -21,7 +21,7 @@ def is_thumbor_enabled() -> bool:
    return settings.THUMBOR_URL != ''

 def user_uploads_or_external(url: str) -> bool:
-    return not is_safe_url(url) or url.startswith("/user_uploads/")
+    return not is_safe_url(url, allowed_hosts=None) or url.startswith("/user_uploads/")

 def get_source_type(url: str) -> str:
    if not url.startswith('/user_uploads/'):
@ -38,11 +38,11 @@ def generate_thumbnail_url(path: str,
    path = urljoin("/", path)

    if not is_thumbor_enabled():
-        if is_safe_url(path):
+        if is_safe_url(path, allowed_hosts=None):
            return path
        return get_camo_url(path)

-    if is_safe_url(path) and not path.startswith("/user_uploads/"):
+    if is_safe_url(path, allowed_hosts=None) and not path.startswith("/user_uploads/"):
        return path

    source_type = get_source_type(path)
--- a/zerver/views/auth.py
+++ b/zerver/views/auth.py
@ -57,7 +57,7 @@ ExtraContext = Optional[Dict[str, Any]]
 redis_client = get_redis_client()

 def get_safe_redirect_to(url: str, redirect_host: str) -> str:
-    is_url_safe = is_safe_url(url=url, host=redirect_host)
+    is_url_safe = is_safe_url(url=url, allowed_hosts=set(redirect_host))
    if is_url_safe:
        return urllib.parse.urljoin(redirect_host, url)
    else: