Updated to Django 3.2.

This also fixes is_safe_url() deprecation warnings.
django · Feb 21, 2024 · 28b6a04 · 28b6a04
1 parent 2097f46
commit 28b6a04
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 7 deletions.
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
@@ -24,6 +24,8 @@ jobs:
           python-version: '3.8'
       - run: pip install "tinycss2>=1.2.0"
       - run: python noshadows.py --tests
+        env:
+          PYTHONWARNINGS: error
 
   tracdjangoplugin:
     runs-on: ubuntu-20.04
@@ -39,6 +41,7 @@ jobs:
         run: python -m django test tracdjangoplugin.tests
         env:
           DJANGO_SETTINGS_MODULE: tracdjangoplugin.settings_tests
+          PYTHONWARNINGS: error
 
   traccheck:
     runs-on: ubuntu-20.04
@@ -53,6 +56,8 @@ jobs:
       - run: python traccheck.py lint trac-env/
         env:
           DJANGO_SETTINGS_MODULE: tracdjangoplugin.settings_tests
+          PYTHONWARNINGS: error
       - run: python traccheck.py components --check .TRACFREEZE.txt trac-env/
         env:
           DJANGO_SETTINGS_MODULE: tracdjangoplugin.settings_tests
+          PYTHONWARNINGS: error
diff --git a/DjangoPlugin/tracdjangoplugin/plugins.py b/DjangoPlugin/tracdjangoplugin/plugins.py
@@ -11,7 +11,8 @@
 
 from django.conf import settings
 from django.contrib.auth.forms import AuthenticationForm
-from django.utils.http import is_safe_url
+from django.utils.encoding import iri_to_uri
+from django.utils.http import url_has_allowed_host_and_scheme
 
 
 class CustomTheme(Component):
@@ -135,11 +136,14 @@ def do_post(self, req):
 
     def _get_safe_redirect_url(self, req):
         host = urlparse(req.base_url).hostname
-        redirect_url = req.args.get("next", "") or settings.LOGIN_REDIRECT_URL
-        if is_safe_url(redirect_url, allowed_hosts=[host]):
-            return redirect_url
-        else:
-            return settings.LOGIN_REDIRECT_URL
+        redirect_url = iri_to_uri(req.args.get("next", ""))
+
+        if not redirect_url:
+            redirect_url = settings.LOGIN_REDIRECT_URL
+        elif not url_has_allowed_host_and_scheme(redirect_url, allowed_hosts=[host]):
+            redirect_url = settings.LOGIN_REDIRECT_URL
+
+        return redirect_url
 
 
 class ReservedUsernamesComponent(Component):

diff --git a/requirements.txt b/requirements.txt
@@ -1,7 +1,7 @@
 # spam-filter doesn't work without babel (but somehow doesn't list it in its requirements)
 Trac[pygments, babel]==1.6.0
 psycopg2==2.9.9 --no-binary=psycopg2
-Django==1.11.29
+Django==3.2.24
 libsass==0.23.0
 
 # Trac plugins