Author: russellm Date: 2010-10-08 09:17:13 -0500 (Fri, 08 Oct 2010) New Revision: 14010
Modified: django/branches/releases/1.2.X/django/contrib/syndication/views.py django/branches/releases/1.2.X/tests/regressiontests/syndication/tests.py Log: [1.2.X] Fixed #13218 -- Ensure that syndicated content served over HTTPS uses https:// links by default. Thanks to schaefer for the report, and Ben Firshman for the patch. Backport of r14007 from trunk. Modified: django/branches/releases/1.2.X/django/contrib/syndication/views.py =================================================================== --- django/branches/releases/1.2.X/django/contrib/syndication/views.py 2010-10-08 14:16:50 UTC (rev 14009) +++ django/branches/releases/1.2.X/django/contrib/syndication/views.py 2010-10-08 14:17:13 UTC (rev 14010) @@ -8,13 +8,17 @@ from django.utils.encoding import force_unicode, iri_to_uri, smart_unicode from django.utils.html import escape -def add_domain(domain, url): +def add_domain(domain, url, secure=False): if not (url.startswith('http://') or url.startswith('https://') or url.startswith('mailto:')): # 'url' must already be ASCII and URL-quoted, so no need for encoding # conversions here. - url = iri_to_uri(u'http://%s%s' % (domain, url)) + if secure: + protocol = 'https' + else: + protocol = 'http' + url = iri_to_uri(u'%s://%s%s' % (protocol, domain, url)) return url class FeedDoesNotExist(ObjectDoesNotExist): @@ -94,7 +98,7 @@ current_site = get_current_site(request) link = self.__get_dynamic_attr('link', obj) - link = add_domain(current_site.domain, link) + link = add_domain(current_site.domain, link, request.is_secure()) feed = self.feed_type( title = self.__get_dynamic_attr('title', obj), @@ -102,8 +106,11 @@ link = link, description = self.__get_dynamic_attr('description', obj), language = settings.LANGUAGE_CODE.decode(), - feed_url = add_domain(current_site.domain, - self.__get_dynamic_attr('feed_url', obj) or request.path), + feed_url = add_domain( + current_site.domain, + self.__get_dynamic_attr('feed_url', obj) or request.path, + request.is_secure(), + ), author_name = self.__get_dynamic_attr('author_name', obj), author_link = self.__get_dynamic_attr('author_link', obj), author_email = self.__get_dynamic_attr('author_email', obj), @@ -137,7 +144,11 @@ description = description_tmp.render(RequestContext(request, {'obj': item, 'site': current_site})) else: description = self.__get_dynamic_attr('item_description', item) - link = add_domain(current_site.domain, self.__get_dynamic_attr('item_link', item)) + link = add_domain( + current_site.domain, + self.__get_dynamic_attr('item_link', item), + request.is_secure(), + ) enc = None enc_url = self.__get_dynamic_attr('item_enclosure_url', item) if enc_url: Modified: django/branches/releases/1.2.X/tests/regressiontests/syndication/tests.py =================================================================== --- django/branches/releases/1.2.X/tests/regressiontests/syndication/tests.py 2010-10-08 14:16:50 UTC (rev 14009) +++ django/branches/releases/1.2.X/tests/regressiontests/syndication/tests.py 2010-10-08 14:17:13 UTC (rev 14010) @@ -236,6 +236,25 @@ if link.getAttribute('rel') == 'self': self.assertEqual(link.getAttribute('href'), 'http://example.com/customfeedurl/') + def test_secure_urls(self): + """ + Test URLs are prefixed with https:// when feed is requested over HTTPS. + """ + response = self.client.get('/syndication/rss2/', **{ + 'wsgi.url_scheme': 'https', + }) + doc = minidom.parseString(response.content) + chan = doc.getElementsByTagName('channel')[0] + self.assertEqual( + chan.getElementsByTagName('link')[0].firstChild.wholeText[0:5], + 'https' + ) + atom_link = chan.getElementsByTagName('atom:link')[0] + self.assertEqual(atom_link.getAttribute('href')[0:5], 'https') + for link in doc.getElementsByTagName('link'): + if link.getAttribute('rel') == 'self': + self.assertEqual(link.getAttribute('href')[0:5], 'https') + def test_item_link_error(self): """ Test that a ImproperlyConfigured is raised if no link could be found @@ -271,6 +290,10 @@ 'http://example.com/foo/?arg=value' ) self.assertEqual( + views.add_domain('example.com', '/foo/?arg=value', True), + 'https://example.com/foo/?arg=value' + ) + self.assertEqual( views.add_domain('example.com', 'http://djangoproject.com/doc/'), 'http://djangoproject.com/doc/' ) -- You received this message because you are subscribed to the Google Groups "Django updates" group. To post to this group, send email to django-upda...@googlegroups.com. To unsubscribe from this group, send email to django-updates+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-updates?hl=en.