+73
-3
lines changedFilter options
+73
-3
lines changed Original file line number Diff line number Diff line change
@@ -92,6 +92,7 @@ class URLValidator(RegexValidator):
92 92
r'\Z', re.IGNORECASE)
93 93
message = _('Enter a valid URL.')
94 94
schemes = ['http', 'https', 'ftp', 'ftps']
95 +
unsafe_chars = frozenset('\t\r\n')
95 96 96 97
def __init__(self, schemes=None, **kwargs):
97 98
super().__init__(**kwargs)
@@ -101,6 +102,8 @@ def __init__(self, schemes=None, **kwargs):
101 102
def __call__(self, value):
102 103
if not isinstance(value, str):
103 104
raise ValidationError(self.message, code=self.code, params={'value': value})
105 +
if self.unsafe_chars.intersection(value):
106 +
raise ValidationError(self.message, code=self.code, params={'value': value})
104 107
# Check if the scheme is valid.
105 108
scheme = value.split('://')[0].lower()
106 109
if scheme not in self.schemes:
@@ -0,0 +1,22 @@
1 +
===========================
2 +
Django 2.2.22 release notes
3 +
===========================
4 + 5 +
*May 6, 2021*
6 + 7 +
Django 2.2.22 fixes a security issue in 2.2.21.
8 + 9 +
CVE-2021-32052: Header injection possibility since ``URLValidator`` accepted newlines in input on Python 3.9.5+
10 +
===============================================================================================================
11 + 12 +
On Python 3.9.5+, :class:`~django.core.validators.URLValidator` didn't prohibit
13 +
newlines and tabs. If you used values with newlines in HTTP response, you could
14 +
suffer from header injection attacks. Django itself wasn't vulnerable because
15 +
:class:`~django.http.HttpResponse` prohibits newlines in HTTP headers.
16 + 17 +
Moreover, the ``URLField`` form field which uses ``URLValidator`` silently
18 +
removes newlines and tabs on Python 3.9.5+, so the possibility of newlines
19 +
entering your data only existed if you are using this validator outside of the
20 +
form fields.
21 + 22 +
This issue was introduced by the :bpo:`43882` fix.
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
1 +
===========================
2 +
Django 3.1.10 release notes
3 +
===========================
4 + 5 +
*May 6, 2021*
6 + 7 +
Django 3.1.10 fixes a security issue in 3.1.9.
8 + 9 +
CVE-2021-32052: Header injection possibility since ``URLValidator`` accepted newlines in input on Python 3.9.5+
10 +
===============================================================================================================
11 + 12 +
On Python 3.9.5+, :class:`~django.core.validators.URLValidator` didn't prohibit
13 +
newlines and tabs. If you used values with newlines in HTTP response, you could
14 +
suffer from header injection attacks. Django itself wasn't vulnerable because
15 +
:class:`~django.http.HttpResponse` prohibits newlines in HTTP headers.
16 + 17 +
Moreover, the ``URLField`` form field which uses ``URLValidator`` silently
18 +
removes newlines and tabs on Python 3.9.5+, so the possibility of newlines
19 +
entering your data only existed if you are using this validator outside of the
20 +
form fields.
21 + 22 +
This issue was introduced by the :bpo:`43882` fix.
Original file line number Diff line number Diff line change
@@ -2,9 +2,24 @@
2 2
Django 3.2.2 release notes
3 3
==========================
4 4 5 -
*Expected June 1, 2021*
5 +
*May 6, 2021*
6 6 7 -
Django 3.2.2 fixes several bugs in 3.2.1.
7 +
Django 3.2.2 fixes a security issue and a bug in 3.2.1.
8 + 9 +
CVE-2021-32052: Header injection possibility since ``URLValidator`` accepted newlines in input on Python 3.9.5+
10 +
===============================================================================================================
11 + 12 +
On Python 3.9.5+, :class:`~django.core.validators.URLValidator` didn't prohibit
13 +
newlines and tabs. If you used values with newlines in HTTP response, you could
14 +
suffer from header injection attacks. Django itself wasn't vulnerable because
15 +
:class:`~django.http.HttpResponse` prohibits newlines in HTTP headers.
16 + 17 +
Moreover, the ``URLField`` form field which uses ``URLValidator`` silently
18 +
removes newlines and tabs on Python 3.9.5+, so the possibility of newlines
19 +
entering your data only existed if you are using this validator outside of the
20 +
form fields.
21 + 22 +
This issue was introduced by the :bpo:`43882` fix.
8 23 9 24
Bugfixes
10 25
========
@@ -34,6 +34,7 @@ versions of the documentation contain the release notes for any later releases.
34 34
.. toctree::
35 35
:maxdepth: 1
36 36 37 +
3.1.10
37 38
3.1.9
38 39
3.1.8
39 40
3.1.7
@@ -71,6 +72,7 @@ versions of the documentation contain the release notes for any later releases.
71 72
.. toctree::
72 73
:maxdepth: 1
73 74 75 +
2.2.22
74 76
2.2.21
75 77
2.2.20
76 78
2.2.19
@@ -226,9 +226,15 @@
226 226
(URLValidator(), None, ValidationError),
227 227
(URLValidator(), 56, ValidationError),
228 228
(URLValidator(), 'no_scheme', ValidationError),
229 -
# Trailing newlines not accepted
229 +
# Newlines and tabs are not accepted.
230 230
(URLValidator(), 'http://www.djangoproject.com/\n', ValidationError),
231 231
(URLValidator(), 'http://[::ffff:192.9.5.5]\n', ValidationError),
232 +
(URLValidator(), 'http://www.djangoproject.com/\r', ValidationError),
233 +
(URLValidator(), 'http://[::ffff:192.9.5.5]\r', ValidationError),
234 +
(URLValidator(), 'http://www.django\rproject.com/', ValidationError),
235 +
(URLValidator(), 'http://[::\rffff:192.9.5.5]', ValidationError),
236 +
(URLValidator(), 'http://\twww.djangoproject.com/', ValidationError),
237 +
(URLValidator(), 'http://\t[::ffff:192.9.5.5]', ValidationError),
232 238
# Trailing junk does not take forever to reject
233 239
(URLValidator(), 'http://www.asdasdasdasdsadfm.com.br ', ValidationError),
234 240
(URLValidator(), 'http://www.asdasdasdasdsadfm.com.br z', ValidationError),
You can’t perform that action at this time.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4