-
-
Notifications
You must be signed in to change notification settings - Fork 31.3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[2.2.x] Fixed #32713, Fixed CVE-2021-32052 -- Prevented newlines and …
…tabs from being accepted in URLValidator on Python 3.9.5+. In Python 3.9.5+ urllib.parse() automatically removes ASCII newlines and tabs from URLs [1, 2]. Unfortunately it created an issue in the URLValidator. URLValidator uses urllib.urlsplit() and urllib.urlunsplit() for creating a URL variant with Punycode which no longer contains newlines and tabs in Python 3.9.5+. As a consequence, the regular expression matched the URL (without unsafe characters) and the source value (with unsafe characters) was considered valid. [1] https://bugs.python.org/issue43882 and [2] python/cpython@76cd81d Backport of e1e81aa from main.
- Loading branch information
Showing
4 changed files
with
34 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
=========================== | ||
Django 2.2.22 release notes | ||
=========================== | ||
|
||
*May 6, 2021* | ||
|
||
Django 2.2.22 fixes a security issue in 2.2.21. | ||
|
||
CVE-2021-32052: Header injection possibility since ``URLValidator`` accepted newlines in input on Python 3.9.5+ | ||
=============================================================================================================== | ||
|
||
On Python 3.9.5+, :class:`~django.core.validators.URLValidator` didn't prohibit | ||
newlines and tabs. If you used values with newlines in HTTP response, you could | ||
suffer from header injection attacks. Django itself wasn't vulnerable because | ||
:class:`~django.http.HttpResponse` prohibits newlines in HTTP headers. | ||
|
||
Moreover, the ``URLField`` form field which uses ``URLValidator`` silently | ||
removes newlines and tabs on Python 3.9.5+, so the possibility of newlines | ||
entering your data only existed if you are using this validator outside of the | ||
form fields. | ||
|
||
This issue was introduced by the :bpo:`43882` fix. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters