Added safety to URL decoding in is_safe_url() on Python 2

The errors='replace' parameter to force_text altered the URL before checking
it, which wasn't considered sane. Refs 24fc9352 and ada7a4ae.

django/utils/http.py

@@ -291,7 +291,10 @@ def is_safe_url(url, host=None):
     if not url:
         return False
     if six.PY2:
-        url = force_text(url, errors='replace')
+        try:
+            url = force_text(url)
+        except UnicodeDecodeError:
+            return False
     # Chrome treats \ completely as / in paths but it could be part of some
     # basic auth credentials so we need to check both URLs.
     return _is_safe_url(url, host) and _is_safe_url(url.replace('\\', '/'), host)

docs/releases/1.8.11.txt

@@ -2,7 +2,7 @@
 Django 1.8.11 release notes
 ===========================
 
-*March 4, 2016*
+*March 5, 2016*
 
 Django 1.8.11 fixes a regression on Python 2 in the 1.8.10 security release
 where ``utils.http.is_safe_url()`` crashes on bytestring URLs (:ticket:`26308`).

docs/releases/1.9.4.txt

@@ -2,7 +2,7 @@
 Django 1.9.4 release notes
 ==========================
 
-*March 4, 2016*
+*March 5, 2016*
 
 Django 1.9.4 fixes a regression on Python 2 in the 1.9.3 security release
 where ``utils.http.is_safe_url()`` crashes on bytestring URLs (:ticket:`26308`).

tests/utils_tests/test_http.py

@@ -124,7 +124,7 @@ class TestUtilsHttp(unittest.TestCase):
             )
             self.assertFalse(http.is_safe_url(b'\x08//example.com', host='testserver'))
             self.assertTrue(http.is_safe_url('àview/'.encode('utf-8'), host='testserver'))
-            self.assertTrue(http.is_safe_url('àview'.encode('latin-1'), host='testserver'))
+            self.assertFalse(http.is_safe_url('àview'.encode('latin-1'), host='testserver'))
 
         # Valid basic auth credentials are allowed.
         self.assertTrue(http.is_safe_url(r'http://user:pass@testserver/', host='user:pass@testserver'))