[Django] #29022: HashedFilesMixin does not properly skip protocol-relative urls

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

[Django] #29022: HashedFilesMixin does not properly skip protocol-relative urls

Django
#29022: HashedFilesMixin does not properly skip protocol-relative urls
-----------------------------------------------+------------------------
               Reporter:  Will Gulian          |          Owner:  nobody
                   Type:  Bug                  |         Status:  new
              Component:  contrib.staticfiles  |        Version:  2.0
               Severity:  Normal               |       Keywords:
           Triage Stage:  Unreviewed           |      Has patch:  0
    Needs documentation:  0                    |    Needs tests:  0
Patch needs improvement:  0                    |  Easy pickings:  0
                  UI/UX:  0                    |
-----------------------------------------------+------------------------
 While protocol-relative urls have been deprecated it would be nice for
 Django staticfiles to support it since a lot of code still uses it or
 explicitly ''not'' support it. Right now the relevant snippet implies that
 the code does filter out protocol-relative urls but it currently does not:
 {{{#!python
 # django/contrib/staticfiles/storage.py

 # Ignore absolute/protocol-relative and data-uri URLs.
 if re.match(r'^[a-z]+:', url):
     return matched
 }}}

 I've included an example snippet that uses a protocol-relative url but is
 not filtered:

 {{{#!css
  @import
 url("//fonts.googleapis.com/css?family=Source+Sans+Pro:400,700|Raleway:400,800,900");
   }}}

--
Ticket URL: <https://code.djangoproject.com/ticket/29022>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/048.45d5faaf70e389235aee8fe905a7388e%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #29022: HashedFilesMixin does not properly skip protocol-relative urls

Django
#29022: HashedFilesMixin does not properly skip protocol-relative urls
-------------------------------------+-------------------------------------
     Reporter:  Will Gulian          |                    Owner:  nobody
         Type:  Bug                  |                   Status:  new
    Component:  contrib.staticfiles  |                  Version:  2.0
     Severity:  Normal               |               Resolution:
     Keywords:                       |             Triage Stage:
                                     |  Unreviewed
    Has patch:  0                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------

Comment (by Tim Graham):

 The code changed in 08ed3cc6d160d0d864ff687db9a62959a86e7372 so the
 comment is outdated but as far as I see, a URL starting with `//` would
 likely be filtered out in the next block: `if url.startswith('/') and not
 url.startswith(settings.STATIC_URL):`. Anyway, there's still a test
 assertion for `//foobar` remaining unchanged and I don't see a change to
 the URL you provided if I add that to the test. Can you find the
 difference between that test and your situation that reproduces the
 problem?

--
Ticket URL: <https://code.djangoproject.com/ticket/29022#comment:1>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/063.6fb2ebd58659373a4eab9d7136e22a88%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #29022: HashedFilesMixin does not properly skip protocol-relative urls

Django
In reply to this post by Django
#29022: HashedFilesMixin does not properly skip protocol-relative urls
-------------------------------------+-------------------------------------
     Reporter:  Will Gulian          |                    Owner:  nobody
         Type:  Bug                  |                   Status:  new
    Component:  contrib.staticfiles  |                  Version:  2.0
     Severity:  Normal               |               Resolution:
     Keywords:                       |             Triage Stage:
                                     |  Unreviewed
    Has patch:  0                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------

Comment (by Will Gulian):

 Replying to [comment:1 Tim Graham]:
 > The code changed in 08ed3cc6d160d0d864ff687db9a62959a86e7372 so the
 comment is outdated but as far as I see, a URL starting with `//` would
 likely be filtered out in the next block: `if url.startswith('/') and not
 url.startswith(settings.STATIC_URL):`. Anyway, there's still a test
 assertion for `//foobar` remaining unchanged and I don't see a change to
 the URL you provided if I add that to the test. Can you find the
 difference between that test and your situation that reproduces the
 problem?

 Sorry I should have looked at that function more closely. It's not being
 caught in my case because my `STATIC_URL` is `/` so the line that should
 exit doesn't because the protocol-relative url actually starts with my
 `STATIC_URL`.

--
Ticket URL: <https://code.djangoproject.com/ticket/29022#comment:2>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/063.2f0f5b62984b412cdd4c7f7da57dd504%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.