diff options
| author | Natalia <124304+nessita@users.noreply.github.com> | 2026-01-29 22:52:41 -0300 |
|---|---|---|
| committer | Natalia <124304+nessita@users.noreply.github.com> | 2026-03-03 09:08:46 -0300 |
| commit | 951ffb3832cd83ba672c1e3deae2bda128eb9cca (patch) | |
| tree | ef54fa16e02bd57198368c3e2f8df9bbc7f9f171 /scripts | |
| parent | c1d8646ec219b8b90ebdd463f40e5767876658a0 (diff) | |
Fixed CVE-2026-25673 -- Simplified URLField scheme detection.
This simplicaftion mitigates a potential DoS in URLField on Windows. The
usage of `urlsplit()` in `URLField.to_python()` was replaced with
`str.partition(":")` for URL scheme detection. On Windows, `urlsplit()`
performs Unicode normalization which is slow for certain characters,
making `URLField` vulnerable to DoS via specially crafted POST payloads.
Thanks Seokchan Yoon for the report, and Jake Howard and Shai Berger
for the review.
Refs #36923.
Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com>
Diffstat (limited to 'scripts')
0 files changed, 0 insertions, 0 deletions
