+34
-2
lines changedFilter options
+34
-2
lines changed Original file line number Diff line number Diff line change
@@ -101,14 +101,17 @@ class URLValidator(RegexValidator):
101 101
r'\Z', re.IGNORECASE)
102 102
message = _('Enter a valid URL.')
103 103
schemes = ['http', 'https', 'ftp', 'ftps']
104 +
unsafe_chars = frozenset('\t\r\n')
104 105 105 106
def __init__(self, schemes=None, **kwargs):
106 107
super().__init__(**kwargs)
107 108
if schemes is not None:
108 109
self.schemes = schemes
109 110 110 111
def __call__(self, value):
111 -
# Check first if the scheme is valid
112 +
if isinstance(value, str) and self.unsafe_chars.intersection(value):
113 +
raise ValidationError(self.message, code=self.code)
114 +
# Check if the scheme is valid.
112 115
scheme = value.split('://')[0].lower()
113 116
if scheme not in self.schemes:
114 117
raise ValidationError(self.message, code=self.code)
@@ -0,0 +1,22 @@
1 +
===========================
2 +
Django 2.2.22 release notes
3 +
===========================
4 + 5 +
*May 6, 2021*
6 + 7 +
Django 2.2.22 fixes a security issue in 2.2.21.
8 + 9 +
CVE-2021-32052: Header injection possibility since ``URLValidator`` accepted newlines in input on Python 3.9.5+
10 +
===============================================================================================================
11 + 12 +
On Python 3.9.5+, :class:`~django.core.validators.URLValidator` didn't prohibit
13 +
newlines and tabs. If you used values with newlines in HTTP response, you could
14 +
suffer from header injection attacks. Django itself wasn't vulnerable because
15 +
:class:`~django.http.HttpResponse` prohibits newlines in HTTP headers.
16 + 17 +
Moreover, the ``URLField`` form field which uses ``URLValidator`` silently
18 +
removes newlines and tabs on Python 3.9.5+, so the possibility of newlines
19 +
entering your data only existed if you are using this validator outside of the
20 +
form fields.
21 + 22 +
This issue was introduced by the :bpo:`43882` fix.
Original file line number Diff line number Diff line change
@@ -25,6 +25,7 @@ versions of the documentation contain the release notes for any later releases.
25 25
.. toctree::
26 26
:maxdepth: 1
27 27 28 +
2.2.22
28 29
2.2.21
29 30
2.2.20
30 31
2.2.19
@@ -222,9 +222,15 @@
222 222
(URLValidator(EXTENDED_SCHEMES), 'git+ssh://git@github.com/example/hg-git.git', None),
223 223 224 224
(URLValidator(EXTENDED_SCHEMES), 'git://-invalid.com', ValidationError),
225 -
# Trailing newlines not accepted
225 +
# Newlines and tabs are not accepted.
226 226
(URLValidator(), 'http://www.djangoproject.com/\n', ValidationError),
227 227
(URLValidator(), 'http://[::ffff:192.9.5.5]\n', ValidationError),
228 +
(URLValidator(), 'http://www.djangoproject.com/\r', ValidationError),
229 +
(URLValidator(), 'http://[::ffff:192.9.5.5]\r', ValidationError),
230 +
(URLValidator(), 'http://www.django\rproject.com/', ValidationError),
231 +
(URLValidator(), 'http://[::\rffff:192.9.5.5]', ValidationError),
232 +
(URLValidator(), 'http://\twww.djangoproject.com/', ValidationError),
233 +
(URLValidator(), 'http://\t[::ffff:192.9.5.5]', ValidationError),
228 234
# Trailing junk does not take forever to reject
229 235
(URLValidator(), 'http://www.asdasdasdasdsadfm.com.br ', ValidationError),
230 236
(URLValidator(), 'http://www.asdasdasdasdsadfm.com.br z', ValidationError),
You can’t perform that action at this time.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4