CodeCow/zulip
1
0
Fork 0
mirror of https://github.com/zulip/zulip.git synced 2026-06-21 21:32:29 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

python: Convert deprecated Django is_safe_url.

Browse Source 
django.utils.http.is_safe_url is a deprecated alias of
django.utils.http.url_has_allowed_host_and_scheme as of Django 3.0,
and will be removed in Django 4.0.

Signed-off-by: Anders Kaseorg <anders@zulip.com>
This commit is contained in:
Anders Kaseorg 2021-04-15 15:59:20 -07:00 committed by Tim Abbott
parent e7ed907cf6
commit dcdb00a5e6
2 changed files with 10 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
zerver/lib/thumbnail.py
View File

@ -6,7 +6,7 @@ import urllib
from urllib.parse import urljoin
from django.conf import settings
from django.utils.http import is_safe_url
from django.utils.http import url_has_allowed_host_and_scheme
from libthumbor import CryptoURL
ZULIP_PATH = os.path.dirname(os.path.dirname(os.path.dirname(os.path.abspath(__file__))))
@ -21,7 +21,9 @@ def is_thumbor_enabled() -> bool:
def user_uploads_or_external(url: str) -> bool:
return not is_safe_url(url, allowed_hosts=None) or url.startswith("/user_uploads/")
return not url_has_allowed_host_and_scheme(url, allowed_hosts=None) or url.startswith(
"/user_uploads/"
)
def get_source_type(url: str) -> str:
@ -38,11 +40,13 @@ def generate_thumbnail_url(path: str, size: str = "0x0", is_camo_url: bool = Fal
path = urljoin("/", path)
if not is_thumbor_enabled():
if is_safe_url(path, allowed_hosts=None):
if url_has_allowed_host_and_scheme(path, allowed_hosts=None):
return path
return get_camo_url(path)
if is_safe_url(path, allowed_hosts=None) and not path.startswith("/user_uploads/"):
if url_has_allowed_host_and_scheme(path, allowed_hosts=None) and not path.startswith(
"/user_uploads/"
):
return path
source_type = get_source_type(path)

4
zerver/views/auth.py
View File

@ -16,7 +16,7 @@ from django.http import HttpRequest, HttpResponse, HttpResponseRedirect, HttpRes
from django.shortcuts import redirect, render
from django.template.response import SimpleTemplateResponse
from django.urls import reverse
from django.utils.http import is_safe_url
from django.utils.http import url_has_allowed_host_and_scheme
from django.utils.translation import gettext as _
from django.views.decorators.csrf import csrf_exempt
from django.views.decorators.http import require_safe
@ -79,7 +79,7 @@ ExtraContext = Optional[Dict[str, Any]]
def get_safe_redirect_to(url: str, redirect_host: str) -> str:
is_url_safe = is_safe_url(url=url, allowed_hosts=None)
is_url_safe = url_has_allowed_host_and_scheme(url=url, allowed_hosts=None)
if is_url_safe:
# Mark as safe to prevent Pysa from surfacing false positives for
# open redirects. In this branch, we have already checked that the URL