PageRenderTime 3487ms CodeModel.GetById 53ms RepoModel.GetById 6ms app.codeStats 2ms

/django/utils/http.py

https://gitlab.com/0072016/django-django
Python | 376 lines | 333 code | 10 blank | 33 comment | 2 complexity | d0db1e7420cc495178c0806ff6472fdc MD5 | raw file
  1. from __future__ import unicode_literals
  2. import base64
  3. import calendar
  4. import datetime
  5. import re
  6. import sys
  7. import unicodedata
  8. from binascii import Error as BinasciiError
  9. from email.utils import formatdate
  10. from django.core.exceptions import TooManyFieldsSent
  11. from django.utils import six
  12. from django.utils.datastructures import MultiValueDict
  13. from django.utils.encoding import force_bytes, force_str, force_text
  14. from django.utils.functional import keep_lazy_text
  15. from django.utils.six.moves.urllib.parse import (
  16. quote, quote_plus, unquote, unquote_plus, urlencode as original_urlencode,
  17. urlparse,
  18. )
  19. ETAG_MATCH = re.compile(r'(?:W/)?"((?:\\.|[^"])*)"')
  20. MONTHS = 'jan feb mar apr may jun jul aug sep oct nov dec'.split()
  21. __D = r'(?P<day>\d{2})'
  22. __D2 = r'(?P<day>[ \d]\d)'
  23. __M = r'(?P<mon>\w{3})'
  24. __Y = r'(?P<year>\d{4})'
  25. __Y2 = r'(?P<year>\d{2})'
  26. __T = r'(?P<hour>\d{2}):(?P<min>\d{2}):(?P<sec>\d{2})'
  27. RFC1123_DATE = re.compile(r'^\w{3}, %s %s %s %s GMT$' % (__D, __M, __Y, __T))
  28. RFC850_DATE = re.compile(r'^\w{6,9}, %s-%s-%s %s GMT$' % (__D, __M, __Y2, __T))
  29. ASCTIME_DATE = re.compile(r'^\w{3} %s %s %s %s$' % (__M, __D2, __T, __Y))
  30. RFC3986_GENDELIMS = str(":/?#[]@")
  31. RFC3986_SUBDELIMS = str("!$&'()*+,;=")
  32. FIELDS_MATCH = re.compile('[&;]')
  33. @keep_lazy_text
  34. def urlquote(url, safe='/'):
  35. """
  36. A version of Python's urllib.quote() function that can operate on unicode
  37. strings. The url is first UTF-8 encoded before quoting. The returned string
  38. can safely be used as part of an argument to a subsequent iri_to_uri() call
  39. without double-quoting occurring.
  40. """
  41. return force_text(quote(force_str(url), force_str(safe)))
  42. @keep_lazy_text
  43. def urlquote_plus(url, safe=''):
  44. """
  45. A version of Python's urllib.quote_plus() function that can operate on
  46. unicode strings. The url is first UTF-8 encoded before quoting. The
  47. returned string can safely be used as part of an argument to a subsequent
  48. iri_to_uri() call without double-quoting occurring.
  49. """
  50. return force_text(quote_plus(force_str(url), force_str(safe)))
  51. @keep_lazy_text
  52. def urlunquote(quoted_url):
  53. """
  54. A wrapper for Python's urllib.unquote() function that can operate on
  55. the result of django.utils.http.urlquote().
  56. """
  57. return force_text(unquote(force_str(quoted_url)))
  58. @keep_lazy_text
  59. def urlunquote_plus(quoted_url):
  60. """
  61. A wrapper for Python's urllib.unquote_plus() function that can operate on
  62. the result of django.utils.http.urlquote_plus().
  63. """
  64. return force_text(unquote_plus(force_str(quoted_url)))
  65. def urlencode(query, doseq=0):
  66. """
  67. A version of Python's urllib.urlencode() function that can operate on
  68. unicode strings. The parameters are first cast to UTF-8 encoded strings and
  69. then encoded as per normal.
  70. """
  71. if isinstance(query, MultiValueDict):
  72. query = query.lists()
  73. elif hasattr(query, 'items'):
  74. query = query.items()
  75. return original_urlencode(
  76. [(force_str(k),
  77. [force_str(i) for i in v] if isinstance(v, (list, tuple)) else force_str(v))
  78. for k, v in query],
  79. doseq)
  80. def cookie_date(epoch_seconds=None):
  81. """
  82. Formats the time to ensure compatibility with Netscape's cookie standard.
  83. Accepts a floating point number expressed in seconds since the epoch, in
  84. UTC - such as that outputted by time.time(). If set to None, defaults to
  85. the current time.
  86. Outputs a string in the format 'Wdy, DD-Mon-YYYY HH:MM:SS GMT'.
  87. """
  88. rfcdate = formatdate(epoch_seconds)
  89. return '%s-%s-%s GMT' % (rfcdate[:7], rfcdate[8:11], rfcdate[12:25])
  90. def http_date(epoch_seconds=None):
  91. """
  92. Formats the time to match the RFC1123 date format as specified by HTTP
  93. RFC7231 section 7.1.1.1.
  94. Accepts a floating point number expressed in seconds since the epoch, in
  95. UTC - such as that outputted by time.time(). If set to None, defaults to
  96. the current time.
  97. Outputs a string in the format 'Wdy, DD Mon YYYY HH:MM:SS GMT'.
  98. """
  99. return formatdate(epoch_seconds, usegmt=True)
  100. def parse_http_date(date):
  101. """
  102. Parses a date format as specified by HTTP RFC7231 section 7.1.1.1.
  103. The three formats allowed by the RFC are accepted, even if only the first
  104. one is still in widespread use.
  105. Returns an integer expressed in seconds since the epoch, in UTC.
  106. """
  107. # emails.Util.parsedate does the job for RFC1123 dates; unfortunately
  108. # RFC7231 makes it mandatory to support RFC850 dates too. So we roll
  109. # our own RFC-compliant parsing.
  110. for regex in RFC1123_DATE, RFC850_DATE, ASCTIME_DATE:
  111. m = regex.match(date)
  112. if m is not None:
  113. break
  114. else:
  115. raise ValueError("%r is not in a valid HTTP date format" % date)
  116. try:
  117. year = int(m.group('year'))
  118. if year < 100:
  119. if year < 70:
  120. year += 2000
  121. else:
  122. year += 1900
  123. month = MONTHS.index(m.group('mon').lower()) + 1
  124. day = int(m.group('day'))
  125. hour = int(m.group('hour'))
  126. min = int(m.group('min'))
  127. sec = int(m.group('sec'))
  128. result = datetime.datetime(year, month, day, hour, min, sec)
  129. return calendar.timegm(result.utctimetuple())
  130. except Exception:
  131. six.reraise(ValueError, ValueError("%r is not a valid date" % date), sys.exc_info()[2])
  132. def parse_http_date_safe(date):
  133. """
  134. Same as parse_http_date, but returns None if the input is invalid.
  135. """
  136. try:
  137. return parse_http_date(date)
  138. except Exception:
  139. pass
  140. # Base 36 functions: useful for generating compact URLs
  141. def base36_to_int(s):
  142. """
  143. Converts a base 36 string to an ``int``. Raises ``ValueError` if the
  144. input won't fit into an int.
  145. """
  146. # To prevent overconsumption of server resources, reject any
  147. # base36 string that is long than 13 base36 digits (13 digits
  148. # is sufficient to base36-encode any 64-bit integer)
  149. if len(s) > 13:
  150. raise ValueError("Base36 input too large")
  151. value = int(s, 36)
  152. # ... then do a final check that the value will fit into an int to avoid
  153. # returning a long (#15067). The long type was removed in Python 3.
  154. if six.PY2 and value > sys.maxint:
  155. raise ValueError("Base36 input too large")
  156. return value
  157. def int_to_base36(i):
  158. """
  159. Converts an integer to a base36 string
  160. """
  161. char_set = '0123456789abcdefghijklmnopqrstuvwxyz'
  162. if i < 0:
  163. raise ValueError("Negative base36 conversion input.")
  164. if six.PY2:
  165. if not isinstance(i, six.integer_types):
  166. raise TypeError("Non-integer base36 conversion input.")
  167. if i > sys.maxint:
  168. raise ValueError("Base36 conversion input too large.")
  169. if i < 36:
  170. return char_set[i]
  171. b36 = ''
  172. while i != 0:
  173. i, n = divmod(i, 36)
  174. b36 = char_set[n] + b36
  175. return b36
  176. def urlsafe_base64_encode(s):
  177. """
  178. Encodes a bytestring in base64 for use in URLs, stripping any trailing
  179. equal signs.
  180. """
  181. return base64.urlsafe_b64encode(s).rstrip(b'\n=')
  182. def urlsafe_base64_decode(s):
  183. """
  184. Decodes a base64 encoded string, adding back any trailing equal signs that
  185. might have been stripped.
  186. """
  187. s = force_bytes(s)
  188. try:
  189. return base64.urlsafe_b64decode(s.ljust(len(s) + len(s) % 4, b'='))
  190. except (LookupError, BinasciiError) as e:
  191. raise ValueError(e)
  192. def parse_etags(etag_str):
  193. """
  194. Parses a string with one or several etags passed in If-None-Match and
  195. If-Match headers by the rules in RFC 2616. Returns a list of etags
  196. without surrounding double quotes (") and unescaped from \<CHAR>.
  197. """
  198. etags = ETAG_MATCH.findall(etag_str)
  199. if not etags:
  200. # etag_str has wrong format, treat it as an opaque string then
  201. return [etag_str]
  202. etags = [e.encode('ascii').decode('unicode_escape') for e in etags]
  203. return etags
  204. def quote_etag(etag):
  205. """
  206. Wraps a string in double quotes escaping contents as necessary.
  207. """
  208. return '"%s"' % etag.replace('\\', '\\\\').replace('"', '\\"')
  209. def unquote_etag(etag):
  210. """
  211. Unquote an ETag string; i.e. revert quote_etag().
  212. """
  213. return etag.strip('"').replace('\\"', '"').replace('\\\\', '\\') if etag else etag
  214. def is_same_domain(host, pattern):
  215. """
  216. Return ``True`` if the host is either an exact match or a match
  217. to the wildcard pattern.
  218. Any pattern beginning with a period matches a domain and all of its
  219. subdomains. (e.g. ``.example.com`` matches ``example.com`` and
  220. ``foo.example.com``). Anything else is an exact string match.
  221. """
  222. if not pattern:
  223. return False
  224. pattern = pattern.lower()
  225. return (
  226. pattern[0] == '.' and (host.endswith(pattern) or host == pattern[1:]) or
  227. pattern == host
  228. )
  229. def is_safe_url(url, host=None):
  230. """
  231. Return ``True`` if the url is a safe redirection (i.e. it doesn't point to
  232. a different host and uses a safe scheme).
  233. Always returns ``False`` on an empty url.
  234. """
  235. if url is not None:
  236. url = url.strip()
  237. if not url:
  238. return False
  239. if six.PY2:
  240. try:
  241. url = force_text(url)
  242. except UnicodeDecodeError:
  243. return False
  244. # Chrome treats \ completely as / in paths but it could be part of some
  245. # basic auth credentials so we need to check both URLs.
  246. return _is_safe_url(url, host) and _is_safe_url(url.replace('\\', '/'), host)
  247. def _is_safe_url(url, host):
  248. # Chrome considers any URL with more than two slashes to be absolute, but
  249. # urlparse is not so flexible. Treat any url with three slashes as unsafe.
  250. if url.startswith('///'):
  251. return False
  252. url_info = urlparse(url)
  253. # Forbid URLs like http:///example.com - with a scheme, but without a hostname.
  254. # In that URL, example.com is not the hostname but, a path component. However,
  255. # Chrome will still consider example.com to be the hostname, so we must not
  256. # allow this syntax.
  257. if not url_info.netloc and url_info.scheme:
  258. return False
  259. # Forbid URLs that start with control characters. Some browsers (like
  260. # Chrome) ignore quite a few control characters at the start of a
  261. # URL and might consider the URL as scheme relative.
  262. if unicodedata.category(url[0])[0] == 'C':
  263. return False
  264. return ((not url_info.netloc or url_info.netloc == host) and
  265. (not url_info.scheme or url_info.scheme in ['http', 'https']))
  266. def limited_parse_qsl(qs, keep_blank_values=False, encoding='utf-8',
  267. errors='replace', fields_limit=None):
  268. """
  269. Return a list of key/value tuples parsed from query string.
  270. Copied from urlparse with an additional "fields_limit" argument.
  271. Copyright (C) 2013 Python Software Foundation (see LICENSE.python).
  272. Arguments:
  273. qs: percent-encoded query string to be parsed
  274. keep_blank_values: flag indicating whether blank values in
  275. percent-encoded queries should be treated as blank strings. A
  276. true value indicates that blanks should be retained as blank
  277. strings. The default false value indicates that blank values
  278. are to be ignored and treated as if they were not included.
  279. encoding and errors: specify how to decode percent-encoded sequences
  280. into Unicode characters, as accepted by the bytes.decode() method.
  281. fields_limit: maximum number of fields parsed or an exception
  282. is raised. None means no limit and is the default.
  283. """
  284. if fields_limit:
  285. pairs = FIELDS_MATCH.split(qs, fields_limit)
  286. if len(pairs) > fields_limit:
  287. raise TooManyFieldsSent(
  288. 'The number of GET/POST parameters exceeded '
  289. 'settings.DATA_UPLOAD_MAX_NUMBER_FIELDS.'
  290. )
  291. else:
  292. pairs = FIELDS_MATCH.split(qs)
  293. r = []
  294. for name_value in pairs:
  295. if not name_value:
  296. continue
  297. nv = name_value.split(str('='), 1)
  298. if len(nv) != 2:
  299. # Handle case of a control-name with no equal sign
  300. if keep_blank_values:
  301. nv.append('')
  302. else:
  303. continue
  304. if len(nv[1]) or keep_blank_values:
  305. if six.PY3:
  306. name = nv[0].replace('+', ' ')
  307. name = unquote(name, encoding=encoding, errors=errors)
  308. value = nv[1].replace('+', ' ')
  309. value = unquote(value, encoding=encoding, errors=errors)
  310. else:
  311. name = unquote(nv[0].replace(b'+', b' '))
  312. value = unquote(nv[1].replace(b'+', b' '))
  313. r.append((name, value))
  314. return r