+12
-2
lines changedFilter options
+12
-2
lines changed Original file line number Diff line number Diff line change
@@ -303,7 +303,7 @@ def __init__(self, prefix_default_language=True):
303 303
@property
304 304
def regex(self):
305 305
# This is only used by reverse() and cached in _reverse_dict.
306 -
return re.compile(self.language_prefix)
306 +
return re.compile(re.escape(self.language_prefix))
307 307 308 308
@property
309 309
def language_prefix(self):
@@ -6,4 +6,8 @@ Django 3.2.16 release notes
6 6 7 7
Django 3.2.16 fixes a security issue with severity "medium" in 3.2.15.
8 8 9 -
...
9 +
CVE-2022-41323: Potential denial-of-service vulnerability in internationalized URLs
10 +
===================================================================================
11 + 12 +
Internationalized URLs were subject to potential denial of service attack via
13 +
the locale parameter.
Original file line number Diff line number Diff line change
@@ -172,6 +172,12 @@ def test_translate_url_utility(self):
172 172
self.assertEqual(translate_url('/nl/gebruikers/', 'en'), '/en/users/')
173 173
self.assertEqual(translation.get_language(), 'nl')
174 174 175 +
def test_locale_not_interepreted_as_regex(self):
176 +
with translation.override("e("):
177 +
# Would previously error:
178 +
# re.error: missing ), unterminated subpattern at position 1
179 +
reverse("users")
180 + 175 181 176 182
class URLNamespaceTests(URLTestCaseBase):
177 183
"""
You can’t perform that action at this time.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4