diff options
| author | Shai Berger <shai@platonix.com> | 2015-06-30 01:09:21 +0300 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2015-07-08 15:23:19 -0400 |
| commit | 8f9a4d3a2bc42f14bb437defd30c7315adbff22c (patch) | |
| tree | 00552e5bf72b45186b14aadc17aa63e2073e6617 /docs | |
| parent | 574dd5e0b0fbb877ae5827b1603d298edc9bb2a0 (diff) | |
[1.8.x] Fixed catastrophic backtracking in URLValidator.
Thanks João Silva for reporting the problem and Tim Graham for finding the
problematic RE and for review.
This is a security fix; disclosure to follow shortly.
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/releases/1.8.3.txt | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/docs/releases/1.8.3.txt b/docs/releases/1.8.3.txt index 5c6301274b..5e01a131a2 100644 --- a/docs/releases/1.8.3.txt +++ b/docs/releases/1.8.3.txt @@ -60,6 +60,13 @@ The undocumented, internally unused ``validate_integer()`` function is now stricter as it validates using a regular expression instead of simply casting the value using ``int()`` and checking if an exception was raised. +Denial-of-service possibility in URL validation +=============================================== + +:class:`~django.core.validators.URLValidator` included a regular expression +that was extremely slow to evaluate against certain invalid inputs. This regular +expression has been simplified and optimized. + Bugfixes ======== |
