diff options
| author | Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> | 2025-03-06 15:24:56 +0100 |
|---|---|---|
| committer | Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> | 2025-04-02 10:21:33 +0200 |
| commit | 39e2297210d9d2938c75fc911d45f0e863dc4821 (patch) | |
| tree | 0fec68f7a688c827ecde281ea9fd44610c1dd331 /django/utils | |
| parent | 00c68f03b5dc6c14618026347ee0da4d466c88e3 (diff) | |
Fixed CVE-2025-27556 -- Mitigated potential DoS in url_has_allowed_host_and_scheme() on Windows.
Thank you sw0rd1ight for the report.
Diffstat (limited to 'django/utils')
| -rw-r--r-- | django/utils/html.py | 3 | ||||
| -rw-r--r-- | django/utils/http.py | 6 |
2 files changed, 6 insertions, 3 deletions
diff --git a/django/utils/html.py b/django/utils/html.py index a9d029165f..8676ae3092 100644 --- a/django/utils/html.py +++ b/django/utils/html.py @@ -13,7 +13,7 @@ from django.core.exceptions import SuspiciousOperation, ValidationError from django.core.validators import EmailValidator from django.utils.deprecation import RemovedInDjango70Warning from django.utils.functional import Promise, cached_property, keep_lazy, keep_lazy_text -from django.utils.http import RFC3986_GENDELIMS, RFC3986_SUBDELIMS +from django.utils.http import MAX_URL_LENGTH, RFC3986_GENDELIMS, RFC3986_SUBDELIMS from django.utils.regex_helper import _lazy_re_compile from django.utils.safestring import SafeData, SafeString, mark_safe from django.utils.text import normalize_newlines @@ -41,7 +41,6 @@ VOID_ELEMENTS = frozenset( ) ) -MAX_URL_LENGTH = 2048 MAX_STRIP_TAGS_DEPTH = 50 diff --git a/django/utils/http.py b/django/utils/http.py index 1f9adeb707..1c7aec7141 100644 --- a/django/utils/http.py +++ b/django/utils/http.py @@ -39,6 +39,7 @@ ASCTIME_DATE = _lazy_re_compile(r"^\w{3} %s %s %s %s$" % (__M, __D2, __T, __Y)) RFC3986_GENDELIMS = ":/?#[]@" RFC3986_SUBDELIMS = "!$&'()*+,;=" +MAX_URL_LENGTH = 2048 def urlencode(query, doseq=False): @@ -274,7 +275,10 @@ def url_has_allowed_host_and_scheme(url, allowed_hosts, require_https=False): def _url_has_allowed_host_and_scheme(url, allowed_hosts, require_https=False): # Chrome considers any URL with more than two slashes to be absolute, but # urlsplit is not so flexible. Treat any url with three slashes as unsafe. - if url.startswith("///"): + if url.startswith("///") or len(url) > MAX_URL_LENGTH: + # urlsplit does not perform validation of inputs. Unicode normalization + # is very slow on Windows and can be a DoS attack vector. + # https://docs.python.org/3/library/urllib.parse.html#url-parsing-security return False try: url_info = urlsplit(url) |