Skip to content
Permalink
Browse files Browse the repository at this point in the history
[3.2.x] Fixed CVE-2022-41323 -- Prevented locales being interpreted a…
…s regular expressions.

Thanks to Benjamin Balder Bach for the report.
  • Loading branch information
adamchainz authored and carltongibson committed Sep 27, 2022
1 parent 33affaf commit 5b6b257
Show file tree
Hide file tree
Showing 3 changed files with 12 additions and 2 deletions.
2 changes: 1 addition & 1 deletion django/urls/resolvers.py
Expand Up @@ -303,7 +303,7 @@ def __init__(self, prefix_default_language=True):
@property
def regex(self):
# This is only used by reverse() and cached in _reverse_dict.
return re.compile(self.language_prefix)
return re.compile(re.escape(self.language_prefix))

@property
def language_prefix(self):
Expand Down
6 changes: 5 additions & 1 deletion docs/releases/3.2.16.txt
Expand Up @@ -6,4 +6,8 @@ Django 3.2.16 release notes

Django 3.2.16 fixes a security issue with severity "medium" in 3.2.15.

...
CVE-2022-41323: Potential denial-of-service vulnerability in internationalized URLs
===================================================================================

Internationalized URLs were subject to potential denial of service attack via
the locale parameter.
6 changes: 6 additions & 0 deletions tests/i18n/patterns/tests.py
Expand Up @@ -172,6 +172,12 @@ def test_translate_url_utility(self):
self.assertEqual(translate_url('/nl/gebruikers/', 'en'), '/en/users/')
self.assertEqual(translation.get_language(), 'nl')

def test_locale_not_interepreted_as_regex(self):
with translation.override("e("):
# Would previously error:
# re.error: missing ), unterminated subpattern at position 1
reverse("users")


class URLNamespaceTests(URLTestCaseBase):
"""
Expand Down

0 comments on commit 5b6b257

Please sign in to comment.