Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

Fixed #13218 -- Ensure that syndicated content served over HTTPS uses…

… https:// links by default. Thanks to schaefer for the report, and Ben Firshman for the patch.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@14007 bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information...
commit ed32170a0487cdf045b565cc971067504b79aaf0 1 parent 060701a
Russell Keith-Magee authored October 08, 2010
23  django/contrib/syndication/views.py
@@ -8,13 +8,17 @@
8 8
 from django.utils.encoding import force_unicode, iri_to_uri, smart_unicode
9 9
 from django.utils.html import escape
10 10
 
11  
-def add_domain(domain, url):
  11
+def add_domain(domain, url, secure=False):
12 12
     if not (url.startswith('http://')
13 13
             or url.startswith('https://')
14 14
             or url.startswith('mailto:')):
15 15
         # 'url' must already be ASCII and URL-quoted, so no need for encoding
16 16
         # conversions here.
17  
-        url = iri_to_uri(u'http://%s%s' % (domain, url))
  17
+        if secure:
  18
+            protocol = 'https'
  19
+        else:
  20
+            protocol = 'http'
  21
+        url = iri_to_uri(u'%s://%s%s' % (protocol, domain, url))
18 22
     return url
19 23
 
20 24
 class FeedDoesNotExist(ObjectDoesNotExist):
@@ -94,7 +98,7 @@ def get_feed(self, obj, request):
94 98
         current_site = get_current_site(request)
95 99
 
96 100
         link = self.__get_dynamic_attr('link', obj)
97  
-        link = add_domain(current_site.domain, link)
  101
+        link = add_domain(current_site.domain, link, request.is_secure())
98 102
 
99 103
         feed = self.feed_type(
100 104
             title = self.__get_dynamic_attr('title', obj),
@@ -102,8 +106,11 @@ def get_feed(self, obj, request):
102 106
             link = link,
103 107
             description = self.__get_dynamic_attr('description', obj),
104 108
             language = settings.LANGUAGE_CODE.decode(),
105  
-            feed_url = add_domain(current_site.domain,
106  
-                    self.__get_dynamic_attr('feed_url', obj) or request.path),
  109
+            feed_url = add_domain(
  110
+                current_site.domain,
  111
+                self.__get_dynamic_attr('feed_url', obj) or request.path,
  112
+                request.is_secure(),
  113
+            ),
107 114
             author_name = self.__get_dynamic_attr('author_name', obj),
108 115
             author_link = self.__get_dynamic_attr('author_link', obj),
109 116
             author_email = self.__get_dynamic_attr('author_email', obj),
@@ -137,7 +144,11 @@ def get_feed(self, obj, request):
137 144
                 description = description_tmp.render(RequestContext(request, {'obj': item, 'site': current_site}))
138 145
             else:
139 146
                 description = self.__get_dynamic_attr('item_description', item)
140  
-            link = add_domain(current_site.domain, self.__get_dynamic_attr('item_link', item))
  147
+            link = add_domain(
  148
+                current_site.domain,
  149
+                self.__get_dynamic_attr('item_link', item),
  150
+                request.is_secure(),
  151
+            )
141 152
             enc = None
142 153
             enc_url = self.__get_dynamic_attr('item_enclosure_url', item)
143 154
             if enc_url:
23  tests/regressiontests/syndication/tests.py
@@ -236,6 +236,25 @@ def test_feed_url(self):
236 236
             if link.getAttribute('rel') == 'self':
237 237
                 self.assertEqual(link.getAttribute('href'), 'http://example.com/customfeedurl/')
238 238
 
  239
+    def test_secure_urls(self):
  240
+        """
  241
+        Test URLs are prefixed with https:// when feed is requested over HTTPS.
  242
+        """
  243
+        response = self.client.get('/syndication/rss2/', **{
  244
+            'wsgi.url_scheme': 'https',
  245
+        })
  246
+        doc = minidom.parseString(response.content)
  247
+        chan = doc.getElementsByTagName('channel')[0]
  248
+        self.assertEqual(
  249
+            chan.getElementsByTagName('link')[0].firstChild.wholeText[0:5],
  250
+            'https'
  251
+        )
  252
+        atom_link = chan.getElementsByTagName('atom:link')[0]
  253
+        self.assertEqual(atom_link.getAttribute('href')[0:5], 'https')
  254
+        for link in doc.getElementsByTagName('link'):
  255
+            if link.getAttribute('rel') == 'self':
  256
+                self.assertEqual(link.getAttribute('href')[0:5], 'https')
  257
+
239 258
     def test_item_link_error(self):
240 259
         """
241 260
         Test that a ImproperlyConfigured is raised if no link could be found
@@ -271,6 +290,10 @@ def test_add_domain(self):
271 290
             'http://example.com/foo/?arg=value'
272 291
         )
273 292
         self.assertEqual(
  293
+            views.add_domain('example.com', '/foo/?arg=value', True),
  294
+            'https://example.com/foo/?arg=value'
  295
+        )
  296
+        self.assertEqual(
274 297
             views.add_domain('example.com', 'http://djangoproject.com/doc/'),
275 298
             'http://djangoproject.com/doc/'
276 299
         )

0 notes on commit ed32170

Please sign in to comment.
Something went wrong with that request. Please try again.