Update Django to 1.8.18

requirements.txt

@@ -3,7 +3,7 @@ python-memcached==1.57
 chardet
 six
 Pillow>=2.6.1,<3.0.0
-Django==1.8.10
+Django==1.8.18
 django-compressor==1.4
 django-post-office==2.0.3
 django-statici18n==1.1.2

seahub/auth/views.py

@@ -13,7 +13,7 @@ from django.shortcuts import render_to_response
 from django.contrib.sites.models import Site, RequestSite
 from django.http import HttpResponseRedirect, Http404
 from django.template import RequestContext
-from django.utils.http import urlquote, base36_to_int
+from django.utils.http import urlquote, base36_to_int, is_safe_url
 from django.utils.translation import ugettext as _
 from django.views.decorators.cache import never_cache
 
@@ -27,7 +27,6 @@ from seahub.base.accounts import User
 from seahub.options.models import UserOptions
 from seahub.profile.models import Profile
 from seahub.utils import is_ldap_user
-from seahub.utils.http import is_safe_url
 from seahub.utils.ip import get_remote_ip
 from seahub.utils.two_factor_auth import two_factor_auth_enabled, handle_two_factor_auth
 

seahub/utils/http.py

@@ -1,8 +1,6 @@
 # Copyright (c) 2012-2016 Seafile Ltd.
 from __future__ import unicode_literals
 
-import unicodedata
-import urlparse
 import json
 
 from functools import wraps
@@ -46,39 +44,3 @@ def int_param(request, key):
         return int(v)
     except ValueError:
         raise BadRequestException()
-
-def is_safe_url(url, host=None):
-    """
-    https://github.com/django/django/blob/fc6d147a63f89795dbcdecb0559256470fff4380/django/utils/http.py
-
-    Return ``True`` if the url is a safe redirection (i.e. it doesn't point to
-    a different host and uses a safe scheme).
-    Always returns ``False`` on an empty url.
-    """
-    if url is not None:
-        url = url.strip()
-    if not url:
-        return False
-    # Chrome treats \ completely as / in paths but it could be part of some
-    # basic auth credentials so we need to check both URLs.
-    return _is_safe_url(url, host) and _is_safe_url(url.replace('\\', '/'), host)
-
-def _is_safe_url(url, host):
-    # Chrome considers any URL with more than two slashes to be absolute, but
-    # urlparse is not so flexible. Treat any url with three slashes as unsafe.
-    if url.startswith('///'):
-        return False
-    url_info = urlparse.urlparse(url)
-    # Forbid URLs like http:///example.com - with a scheme, but without a hostname.
-    # In that URL, example.com is not the hostname but, a path component. However,
-    # Chrome will still consider example.com to be the hostname, so we must not
-    # allow this syntax.
-    if not url_info.netloc and url_info.scheme:
-        return False
-    # Forbid URLs that start with control characters. Some browsers (like
-    # Chrome) ignore quite a few control characters at the start of a
-    # URL and might consider the URL as scheme relative.
-    if unicodedata.category(url[0])[0] == 'C':
-        return False
-    return ((not url_info.netloc or url_info.netloc == host) and
-            (not url_info.scheme or url_info.scheme in ['http', 'https']))

tests/seahub/auth/views/test_login.py

@@ -58,6 +58,17 @@ class LoginTest(BaseTestCase):
         self.assertEqual(302, resp.status_code)
         self.assertRegexpMatches(resp['Location'], r'http://testserver%s' % settings.LOGIN_REDIRECT_URL)
 
+    def test_bad_redirect2_to_after_success_login(self):
+        from django.utils.http import urlquote
+        resp = self.client.post(
+            reverse('auth_login') + '?next=' + urlquote('http:999999999'),
+            {'login': self.user.username,
+             'password': self.user_password}
+        )
+
+        self.assertEqual(302, resp.status_code)
+        self.assertRegexpMatches(resp['Location'], r'http://testserver%s' % settings.LOGIN_REDIRECT_URL)
+
     def test_redirect_to_other_host_after_success_login(self):
         from django.utils.http import urlquote
         resp = self.client.post(