diff options
| -rw-r--r-- | .gitignore | 1 | ||||
| -rw-r--r-- | python-is-safe-url.spec | 192 | ||||
| -rw-r--r-- | sources | 1 |
3 files changed, 194 insertions, 0 deletions
@@ -0,0 +1 @@ +/is_safe_url-1.0.tar.gz diff --git a/python-is-safe-url.spec b/python-is-safe-url.spec new file mode 100644 index 0000000..4c94e3d --- /dev/null +++ b/python-is-safe-url.spec @@ -0,0 +1,192 @@ +%global _empty_manifest_terminate_build 0 +Name: python-is-safe-url +Version: 1.0 +Release: 1 +Summary: Django's is_safe_url() bundled as a standalone package. +License: BSD +URL: https://gitlab.com/MarkusH/is_safe_url +Source0: https://mirrors.nju.edu.cn/pypi/web/packages/a4/94/be63323c7096a133a1b3ca89f4c096f0828ad0e169dba24cef6c28e1dd0d/is_safe_url-1.0.tar.gz +BuildArch: noarch + + +%description + +# `is_safe_url()` + +Redirecting a visitor to another URL is common. It's also common that the +redirect target is controllable by a visitor. One can often find a `?next` or +`?on_complete` GET parameter with the redirect target. + +While this form of redirection is convenient, blindly redirecting a visitor to +the given target can easily lead to [Unvalidated Redirect and Forwards](https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet). +Thus, one needs to check if the redirect target is "safe" before redirecting a +visitor. + +The [Django web framework](https://djangoproject.com) has a utility function +`is_safe_url()` that attempts to validate a given target against a set of valid +hosts. This package unbundles the function and easily allows other projects to +use it. + +```python +>>> from is_safe_url import is_safe_url +>>> is_safe_url("/redirect/target", {"example.com", "www.example.com"}) +True +>>> is_safe_url("//example.com/redirect/target", {"example.com", "www.example.com"}) +True +>>> is_safe_url("//evil.net/redirect/target", {"example.com"}) +False +>>> is_safe_url("http://example.com/redirect/target", {"example.com"}) +True +>>> is_safe_url("http://example.com/redirect/target", {"example.com"}, require_https=True) +False +>>> is_safe_url("https://example.com/redirect/target", {"example.com"}, require_https=True) +True +``` + +# Security + +Please report security issues **privately** to the +[Django security team](security@djangoproject.com) or +[Markus Holtermann](info+security+is-safe-url@markusholtermann.eu). + + + + +%package -n python3-is-safe-url +Summary: Django's is_safe_url() bundled as a standalone package. +Provides: python-is-safe-url +BuildRequires: python3-devel +BuildRequires: python3-setuptools +BuildRequires: python3-pip +%description -n python3-is-safe-url + +# `is_safe_url()` + +Redirecting a visitor to another URL is common. It's also common that the +redirect target is controllable by a visitor. One can often find a `?next` or +`?on_complete` GET parameter with the redirect target. + +While this form of redirection is convenient, blindly redirecting a visitor to +the given target can easily lead to [Unvalidated Redirect and Forwards](https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet). +Thus, one needs to check if the redirect target is "safe" before redirecting a +visitor. + +The [Django web framework](https://djangoproject.com) has a utility function +`is_safe_url()` that attempts to validate a given target against a set of valid +hosts. This package unbundles the function and easily allows other projects to +use it. + +```python +>>> from is_safe_url import is_safe_url +>>> is_safe_url("/redirect/target", {"example.com", "www.example.com"}) +True +>>> is_safe_url("//example.com/redirect/target", {"example.com", "www.example.com"}) +True +>>> is_safe_url("//evil.net/redirect/target", {"example.com"}) +False +>>> is_safe_url("http://example.com/redirect/target", {"example.com"}) +True +>>> is_safe_url("http://example.com/redirect/target", {"example.com"}, require_https=True) +False +>>> is_safe_url("https://example.com/redirect/target", {"example.com"}, require_https=True) +True +``` + +# Security + +Please report security issues **privately** to the +[Django security team](security@djangoproject.com) or +[Markus Holtermann](info+security+is-safe-url@markusholtermann.eu). + + + + +%package help +Summary: Development documents and examples for is-safe-url +Provides: python3-is-safe-url-doc +%description help + +# `is_safe_url()` + +Redirecting a visitor to another URL is common. It's also common that the +redirect target is controllable by a visitor. One can often find a `?next` or +`?on_complete` GET parameter with the redirect target. + +While this form of redirection is convenient, blindly redirecting a visitor to +the given target can easily lead to [Unvalidated Redirect and Forwards](https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet). +Thus, one needs to check if the redirect target is "safe" before redirecting a +visitor. + +The [Django web framework](https://djangoproject.com) has a utility function +`is_safe_url()` that attempts to validate a given target against a set of valid +hosts. This package unbundles the function and easily allows other projects to +use it. + +```python +>>> from is_safe_url import is_safe_url +>>> is_safe_url("/redirect/target", {"example.com", "www.example.com"}) +True +>>> is_safe_url("//example.com/redirect/target", {"example.com", "www.example.com"}) +True +>>> is_safe_url("//evil.net/redirect/target", {"example.com"}) +False +>>> is_safe_url("http://example.com/redirect/target", {"example.com"}) +True +>>> is_safe_url("http://example.com/redirect/target", {"example.com"}, require_https=True) +False +>>> is_safe_url("https://example.com/redirect/target", {"example.com"}, require_https=True) +True +``` + +# Security + +Please report security issues **privately** to the +[Django security team](security@djangoproject.com) or +[Markus Holtermann](info+security+is-safe-url@markusholtermann.eu). + + + + +%prep +%autosetup -n is-safe-url-1.0 + +%build +%py3_build + +%install +%py3_install +install -d -m755 %{buildroot}/%{_pkgdocdir} +if [ -d doc ]; then cp -arf doc %{buildroot}/%{_pkgdocdir}; fi +if [ -d docs ]; then cp -arf docs %{buildroot}/%{_pkgdocdir}; fi +if [ -d example ]; then cp -arf example %{buildroot}/%{_pkgdocdir}; fi +if [ -d examples ]; then cp -arf examples %{buildroot}/%{_pkgdocdir}; fi +pushd %{buildroot} +if [ -d usr/lib ]; then + find usr/lib -type f -printf "/%h/%f\n" >> filelist.lst +fi +if [ -d usr/lib64 ]; then + find usr/lib64 -type f -printf "/%h/%f\n" >> filelist.lst +fi +if [ -d usr/bin ]; then + find usr/bin -type f -printf "/%h/%f\n" >> filelist.lst +fi +if [ -d usr/sbin ]; then + find usr/sbin -type f -printf "/%h/%f\n" >> filelist.lst +fi +touch doclist.lst +if [ -d usr/share/man ]; then + find usr/share/man -type f -printf "/%h/%f.gz\n" >> doclist.lst +fi +popd +mv %{buildroot}/filelist.lst . +mv %{buildroot}/doclist.lst . + +%files -n python3-is-safe-url -f filelist.lst +%dir %{python3_sitelib}/* + +%files help -f doclist.lst +%{_docdir}/* + +%changelog +* Tue Apr 11 2023 Python_Bot <Python_Bot@openeuler.org> - 1.0-1 +- Package Spec generated @@ -0,0 +1 @@ +0a963173c49fd727b745e647e489330e is_safe_url-1.0.tar.gz |