diff options
| author | Shai Berger <shai@platonix.com> | 2015-06-30 01:09:21 +0300 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2015-07-08 15:23:19 -0400 |
| commit | 8f9a4d3a2bc42f14bb437defd30c7315adbff22c (patch) | |
| tree | 00552e5bf72b45186b14aadc17aa63e2073e6617 | |
| parent | 574dd5e0b0fbb877ae5827b1603d298edc9bb2a0 (diff) | |
[1.8.x] Fixed catastrophic backtracking in URLValidator.
Thanks João Silva for reporting the problem and Tim Graham for finding the
problematic RE and for review.
This is a security fix; disclosure to follow shortly.
| -rw-r--r-- | django/core/validators.py | 2 | ||||
| -rw-r--r-- | docs/releases/1.8.3.txt | 7 | ||||
| -rw-r--r-- | tests/validators/invalid_urls.txt | 2 | ||||
| -rw-r--r-- | tests/validators/tests.py | 3 | ||||
| -rw-r--r-- | tests/validators/valid_urls.txt | 1 |
5 files changed, 14 insertions, 1 deletions
diff --git a/django/core/validators.py b/django/core/validators.py index f97b3d9772..cd5b16b207 100644 --- a/django/core/validators.py +++ b/django/core/validators.py @@ -73,7 +73,7 @@ class URLValidator(RegexValidator): # Host patterns hostname_re = r'[a-z' + ul + r'0-9](?:[a-z' + ul + r'0-9-]*[a-z' + ul + r'0-9])?' - domain_re = r'(?:\.[a-z' + ul + r'0-9]+(?:[a-z' + ul + r'0-9-]*[a-z' + ul + r'0-9]+)*)*' + domain_re = r'(?:\.(?!-)[a-z' + ul + r'0-9-]*(?<!-))*' tld_re = r'\.(?:[a-z' + ul + r']{2,}|xn--[a-z0-9]+)\.?' host_re = '(' + hostname_re + domain_re + tld_re + '|localhost)' diff --git a/docs/releases/1.8.3.txt b/docs/releases/1.8.3.txt index 5c6301274b..5e01a131a2 100644 --- a/docs/releases/1.8.3.txt +++ b/docs/releases/1.8.3.txt @@ -60,6 +60,13 @@ The undocumented, internally unused ``validate_integer()`` function is now stricter as it validates using a regular expression instead of simply casting the value using ``int()`` and checking if an exception was raised. +Denial-of-service possibility in URL validation +=============================================== + +:class:`~django.core.validators.URLValidator` included a regular expression +that was extremely slow to evaluate against certain invalid inputs. This regular +expression has been simplified and optimized. + Bugfixes ======== diff --git a/tests/validators/invalid_urls.txt b/tests/validators/invalid_urls.txt index 9a4df36a20..a3393d76ed 100644 --- a/tests/validators/invalid_urls.txt +++ b/tests/validators/invalid_urls.txt @@ -35,6 +35,8 @@ http://foo.bar/foo(bar)baz quux http://-error-.invalid/ http://-a.b.co http://a.b-.co +http://a.-b.co +http://a.b-.c.co http:/ http:// http:// diff --git a/tests/validators/tests.py b/tests/validators/tests.py index e410905b50..528b1a74ca 100644 --- a/tests/validators/tests.py +++ b/tests/validators/tests.py @@ -172,6 +172,9 @@ TEST_DATA = [ # Trailing newlines not accepted (URLValidator(), 'http://www.djangoproject.com/\n', ValidationError), (URLValidator(), 'http://[::ffff:192.9.5.5]\n', ValidationError), + # Trailing junk does not take forever to reject + (URLValidator(), 'http://www.asdasdasdasdsadfm.com.br ', ValidationError), + (URLValidator(), 'http://www.asdasdasdasdsadfm.com.br z', ValidationError), (BaseValidator(True), True, None), (BaseValidator(True), False, ValidationError), diff --git a/tests/validators/valid_urls.txt b/tests/validators/valid_urls.txt index 040298f4fe..8c98f848e4 100644 --- a/tests/validators/valid_urls.txt +++ b/tests/validators/valid_urls.txt @@ -7,6 +7,7 @@ http://www.example.com/ http://www.example.com:8000/test http://valid-with-hyphens.com/ http://subdomain.example.com/ +http://a.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa http://200.8.9.10/ http://200.8.9.10:8000/test http://su--b.valid-----hyphens.com/ |