From dcdb00a5e67a82e0594ca8a0226ebbe9ed05d57b Mon Sep 17 00:00:00 2001 From: Anders Kaseorg Date: Thu, 15 Apr 2021 15:59:20 -0700 Subject: [PATCH] python: Convert deprecated Django is_safe_url. django.utils.http.is_safe_url is a deprecated alias of django.utils.http.url_has_allowed_host_and_scheme as of Django 3.0, and will be removed in Django 4.0. Signed-off-by: Anders Kaseorg --- zerver/lib/thumbnail.py | 12 ++++++++---- zerver/views/auth.py | 4 ++-- 2 files changed, 10 insertions(+), 6 deletions(-) diff --git a/zerver/lib/thumbnail.py b/zerver/lib/thumbnail.py index 7704dda970..02304f12a4 100644 --- a/zerver/lib/thumbnail.py +++ b/zerver/lib/thumbnail.py @@ -6,7 +6,7 @@ import urllib from urllib.parse import urljoin from django.conf import settings -from django.utils.http import is_safe_url +from django.utils.http import url_has_allowed_host_and_scheme from libthumbor import CryptoURL ZULIP_PATH = os.path.dirname(os.path.dirname(os.path.dirname(os.path.abspath(__file__)))) @@ -21,7 +21,9 @@ def is_thumbor_enabled() -> bool: def user_uploads_or_external(url: str) -> bool: - return not is_safe_url(url, allowed_hosts=None) or url.startswith("/user_uploads/") + return not url_has_allowed_host_and_scheme(url, allowed_hosts=None) or url.startswith( + "/user_uploads/" + ) def get_source_type(url: str) -> str: @@ -38,11 +40,13 @@ def generate_thumbnail_url(path: str, size: str = "0x0", is_camo_url: bool = Fal path = urljoin("/", path) if not is_thumbor_enabled(): - if is_safe_url(path, allowed_hosts=None): + if url_has_allowed_host_and_scheme(path, allowed_hosts=None): return path return get_camo_url(path) - if is_safe_url(path, allowed_hosts=None) and not path.startswith("/user_uploads/"): + if url_has_allowed_host_and_scheme(path, allowed_hosts=None) and not path.startswith( + "/user_uploads/" + ): return path source_type = get_source_type(path) diff --git a/zerver/views/auth.py b/zerver/views/auth.py index 1ef5e0fc0b..5713979548 100644 --- a/zerver/views/auth.py +++ b/zerver/views/auth.py @@ -16,7 +16,7 @@ from django.http import HttpRequest, HttpResponse, HttpResponseRedirect, HttpRes from django.shortcuts import redirect, render from django.template.response import SimpleTemplateResponse from django.urls import reverse -from django.utils.http import is_safe_url +from django.utils.http import url_has_allowed_host_and_scheme from django.utils.translation import gettext as _ from django.views.decorators.csrf import csrf_exempt from django.views.decorators.http import require_safe @@ -79,7 +79,7 @@ ExtraContext = Optional[Dict[str, Any]] def get_safe_redirect_to(url: str, redirect_host: str) -> str: - is_url_safe = is_safe_url(url=url, allowed_hosts=None) + is_url_safe = url_has_allowed_host_and_scheme(url=url, allowed_hosts=None) if is_url_safe: # Mark as safe to prevent Pysa from surfacing false positives for # open redirects. In this branch, we have already checked that the URL