Mirror
/
zulip
mirror of https://github.com/zulip/zulip.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

is_safe_url: Use allowed_hosts instead of depreciated host argument. 

Judging by comparing django 1.11 with django 2.2 code of this function,
this shouldn't change any behavior.
This commit is contained in:
Mateusz Mandera 2020-02-04 14:42:03 +01:00 committed by Tim Abbott
parent bc062e1c4d
commit 0e7c97378e
2 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
zerver/lib/thumbnail.py
View File

@ -21,7 +21,7 @@ def is_thumbor_enabled() -> bool:
return settings.THUMBOR_URL != ''
def user_uploads_or_external(url: str) -> bool:
return not is_safe_url(url) or url.startswith("/user_uploads/")
return not is_safe_url(url, allowed_hosts=None) or url.startswith("/user_uploads/")
def get_source_type(url: str) -> str:
if not url.startswith('/user_uploads/'):
@ -38,11 +38,11 @@ def generate_thumbnail_url(path: str,
path = urljoin("/", path)
if not is_thumbor_enabled():
if is_safe_url(path):
if is_safe_url(path, allowed_hosts=None):
return path
return get_camo_url(path)
if is_safe_url(path) and not path.startswith("/user_uploads/"):
if is_safe_url(path, allowed_hosts=None) and not path.startswith("/user_uploads/"):
return path
source_type = get_source_type(path)

2
zerver/views/auth.py
View File

@ -57,7 +57,7 @@ ExtraContext = Optional[Dict[str, Any]]
redis_client = get_redis_client()
def get_safe_redirect_to(url: str, redirect_host: str) -> str:
is_url_safe = is_safe_url(url=url, host=redirect_host)
is_url_safe = is_safe_url(url=url, allowed_hosts=set(redirect_host))
if is_url_safe:
return urllib.parse.urljoin(redirect_host, url)
else: