diff options
| author | Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> | 2025-03-06 15:24:56 +0100 |
|---|---|---|
| committer | Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> | 2025-04-02 10:23:46 +0200 |
| commit | 2cb311f7b069723027fb5def4044d1816d7d2afd (patch) | |
| tree | 0b98eb2a2c3b0d3a0da7b566f88bce9924bc851a /tests | |
| parent | c68f3516be266cbc3929e51e32ed63d304ac5cc6 (diff) | |
[5.2.x] Fixed CVE-2025-27556 -- Mitigated potential DoS in url_has_allowed_host_and_scheme() on Windows.
Thank you sw0rd1ight for the report.
Backport of 39e2297210d9d2938c75fc911d45f0e863dc4821 from main.
Diffstat (limited to 'tests')
| -rw-r--r-- | tests/utils_tests/test_http.py | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/tests/utils_tests/test_http.py b/tests/utils_tests/test_http.py index c04f0a03d7..a92e65dd08 100644 --- a/tests/utils_tests/test_http.py +++ b/tests/utils_tests/test_http.py @@ -6,6 +6,7 @@ from unittest import mock from django.test import SimpleTestCase from django.utils.datastructures import MultiValueDict from django.utils.http import ( + MAX_URL_LENGTH, base36_to_int, content_disposition_header, escape_leading_slashes, @@ -273,6 +274,21 @@ class URLHasAllowedHostAndSchemeTests(unittest.TestCase): False, ) + def test_max_url_length(self): + allowed_host = "example.com" + max_extra_characters = "é" * (MAX_URL_LENGTH - len(allowed_host) - 1) + max_length_boundary_url = f"{allowed_host}/{max_extra_characters}" + cases = [ + (max_length_boundary_url, True), + (max_length_boundary_url + "ú", False), + ] + for url, expected in cases: + with self.subTest(url=url): + self.assertIs( + url_has_allowed_host_and_scheme(url, allowed_hosts={allowed_host}), + expected, + ) + class URLSafeBase64Tests(unittest.TestCase): def test_roundtrip(self): |
