Skip to content

Commit

Permalink
[3.2.x] Fixed CVE-2021-33571 -- Prevented leading zeros in IPv4 addre…
Browse files Browse the repository at this point in the history 
…sses.

validate_ipv4_address() was affected only on Python < 3.9.5, see [1].
URLValidator() uses a regular expressions and it was affected on all
Python versions.

[1] https://bugs.python.org/issue36384
  • Loading branch information
@felixxm @carltongibson
felixxm authored and carltongibson committed Jun 2, 2021
1 parent dfaba12 commit 9f75e2e
Show file tree
Hide file tree
Showing 7 changed files with 87 additions and 1 deletion.
15 changes: 14 additions & 1 deletion django/core/validators.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,7 @@ class URLValidator(RegexValidator):
ul = '\u00a1-\uffff' # Unicode letters range (must not be a raw string).

# IP patterns
ipv4_re = r'(?:25[0-5]|2[0-4]\d|[0-1]?\d?\d)(?:\.(?:25[0-5]|2[0-4]\d|[0-1]?\d?\d)){3}'
ipv4_re = r'(?:0|25[0-5]|2[0-4]\d|1\d?\d?|[1-9]\d?)(?:\.(?:0|25[0-5]|2[0-4]\d|1\d?\d?|[1-9]\d?)){3}'
ipv6_re = r'\[[0-9a-f:.]+\]' # (simple regex, validated later)

# Host patterns
Expand Down Expand Up @@ -276,6 +276,19 @@ def validate_ipv4_address(value):
ipaddress.IPv4Address(value)
except ValueError:
raise ValidationError(_('Enter a valid IPv4 address.'), code='invalid', params={'value': value})
else:
# Leading zeros are forbidden to avoid ambiguity with the octal
# notation. This restriction is included in Python 3.9.5+.
# TODO: Remove when dropping support for PY39.
if any(
octet != '0' and octet[0] == '0'
for octet in value.split('.')
):
raise ValidationError(
_('Enter a valid IPv4 address.'),
code='invalid',
params={'value': value},
)


def validate_ipv6_address(value):
Expand Down
13 changes: 13 additions & 0 deletions docs/releases/2.2.24.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,3 +17,16 @@ the existence but also the file contents would have been exposed.

As a mitigation, path sanitation is now applied and only files within the
template root directories can be loaded.

CVE-2021-33571: Possible indeterminate SSRF, RFI, and LFI attacks since validators accepted leading zeros in IPv4 addresses
===========================================================================================================================

:class:`~django.core.validators.URLValidator`,
:func:`~django.core.validators.validate_ipv4_address`, and
:func:`~django.core.validators.validate_ipv46_address` didn't prohibit leading
zeros in octal literals. If you used such values you could suffer from
indeterminate SSRF, RFI, and LFI attacks.

:func:`~django.core.validators.validate_ipv4_address` and
:func:`~django.core.validators.validate_ipv46_address` validators were not
affected on Python 3.9.5+.
13 changes: 13 additions & 0 deletions docs/releases/3.1.12.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,3 +17,16 @@ the existence but also the file contents would have been exposed.

As a mitigation, path sanitation is now applied and only files within the
template root directories can be loaded.

CVE-2021-33571: Possible indeterminate SSRF, RFI, and LFI attacks since validators accepted leading zeros in IPv4 addresses
===========================================================================================================================

:class:`~django.core.validators.URLValidator`,
:func:`~django.core.validators.validate_ipv4_address`, and
:func:`~django.core.validators.validate_ipv46_address` didn't prohibit leading
zeros in octal literals. If you used such values you could suffer from
indeterminate SSRF, RFI, and LFI attacks.

:func:`~django.core.validators.validate_ipv4_address` and
:func:`~django.core.validators.validate_ipv46_address` validators were not
affected on Python 3.9.5+.
13 changes: 13 additions & 0 deletions docs/releases/3.2.4.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,19 @@ the existence but also the file contents would have been exposed.
As a mitigation, path sanitation is now applied and only files within the
template root directories can be loaded.

CVE-2021-33571: Possible indeterminate SSRF, RFI, and LFI attacks since validators accepted leading zeros in IPv4 addresses
===========================================================================================================================

:class:`~django.core.validators.URLValidator`,
:func:`~django.core.validators.validate_ipv4_address`, and
:func:`~django.core.validators.validate_ipv46_address` didn't prohibit leading
zeros in octal literals. If you used such values you could suffer from
indeterminate SSRF, RFI, and LFI attacks.

:func:`~django.core.validators.validate_ipv4_address` and
:func:`~django.core.validators.validate_ipv46_address` validators were not
affected on Python 3.9.5+.

Bugfixes
========

Expand Down
8 changes: 8 additions & 0 deletions tests/validators/invalid_urls.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,14 @@ http://1.1.1.1.1
http://123.123.123
http://3628126748
http://123
http://000.000.000.000
http://016.016.016.016
http://192.168.000.001
http://01.2.3.4
http://01.2.3.4
http://1.02.3.4
http://1.2.03.4
http://1.2.3.04
http://.www.foo.bar/
http://.www.foo.bar./
http://[::1:2::3]:8080/
Expand Down
20 changes: 20 additions & 0 deletions tests/validators/tests.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -136,6 +136,16 @@
(validate_ipv4_address, '1.1.1.1\n', ValidationError),
(validate_ipv4_address, '٧.2٥.3٣.243', ValidationError),

# Leading zeros are forbidden to avoid ambiguity with the octal notation.
(validate_ipv4_address, '000.000.000.000', ValidationError),
(validate_ipv4_address, '016.016.016.016', ValidationError),
(validate_ipv4_address, '192.168.000.001', ValidationError),
(validate_ipv4_address, '01.2.3.4', ValidationError),
(validate_ipv4_address, '01.2.3.4', ValidationError),
(validate_ipv4_address, '1.02.3.4', ValidationError),
(validate_ipv4_address, '1.2.03.4', ValidationError),
(validate_ipv4_address, '1.2.3.04', ValidationError),

# validate_ipv6_address uses django.utils.ipv6, which
# is tested in much greater detail in its own testcase
(validate_ipv6_address, 'fe80::1', None),
Expand All @@ -161,6 +171,16 @@
(validate_ipv46_address, '::zzz', ValidationError),
(validate_ipv46_address, '12345::', ValidationError),

# Leading zeros are forbidden to avoid ambiguity with the octal notation.
(validate_ipv46_address, '000.000.000.000', ValidationError),
(validate_ipv46_address, '016.016.016.016', ValidationError),
(validate_ipv46_address, '192.168.000.001', ValidationError),
(validate_ipv46_address, '01.2.3.4', ValidationError),
(validate_ipv46_address, '01.2.3.4', ValidationError),
(validate_ipv46_address, '1.02.3.4', ValidationError),
(validate_ipv46_address, '1.2.03.4', ValidationError),
(validate_ipv46_address, '1.2.3.04', ValidationError),

(validate_comma_separated_integer_list, '1', None),
(validate_comma_separated_integer_list, '12', None),
(validate_comma_separated_integer_list, '1,2', None),
Expand Down
6 changes: 6 additions & 0 deletions tests/validators/valid_urls.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,12 @@ http://0.0.0.0/
http://255.255.255.255
http://224.0.0.0
http://224.1.1.1
http://111.112.113.114/
http://88.88.88.88/
http://11.12.13.14/
http://10.20.30.40/
http://1.2.3.4/
http://127.0.01.09.home.lan
http://aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.example.com
http://example.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.com
http://example.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Expand Down

0 comments on commit 9f75e2e

Please sign in to comment.