diff options
| author | Nick Pope <nick@nickpope.me.uk> | 2023-01-25 12:21:48 +0100 |
|---|---|---|
| committer | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2023-02-01 09:47:17 +0100 |
| commit | 4452642f193533e288a52c02efb5bbc766a68f95 (patch) | |
| tree | 5c24d90c44acb39d231610d3a9421d3ff886fecc /tests | |
| parent | b880e20876fec670e11db8b42f754fbbbfd8055c (diff) | |
[4.0.x] Fixed CVE-2023-23969 -- Prevented DoS with pathological values for Accept-Language.
The parsed values of Accept-Language headers are cached in order to
avoid repetitive parsing. This leads to a potential denial-of-service
vector via excessive memory usage if the raw value of Accept-Language
headers is very large.
Accept-Language headers are now limited to a maximum length in order
to avoid this issue.
Diffstat (limited to 'tests')
| -rw-r--r-- | tests/i18n/tests.py | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/tests/i18n/tests.py b/tests/i18n/tests.py index 90c6eed286..896e8ebd21 100644 --- a/tests/i18n/tests.py +++ b/tests/i18n/tests.py @@ -1728,6 +1728,14 @@ class MiscTests(SimpleTestCase): ("de;q=0.", [("de", 0.0)]), ("en; q=1,", [("en", 1.0)]), ("en; q=1.0, * ; q=0.5", [("en", 1.0), ("*", 0.5)]), + ( + "en" + "-x" * 20, + [("en-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x", 1.0)], + ), + ( + ", ".join(["en; q=1.0"] * 20), + [("en", 1.0)] * 20, + ), # Bad headers ("en-gb;q=1.0000", []), ("en;q=0.1234", []), @@ -1743,6 +1751,11 @@ class MiscTests(SimpleTestCase): ("12-345", []), ("", []), ("en;q=1e0", []), + ("en-au;q=1.0", []), + # Invalid as language-range value too long. + ("xxxxxxxx" + "-xxxxxxxx" * 500, []), + # Header value too long, only parse up to limit. + (", ".join(["en; q=1.0"] * 500), [("en", 1.0)] * 45), ] for value, expected in tests: with self.subTest(value=value): |
