[3.2.x] Fixed #32713, Fixed CVE-2021-32052 -- Prevented newlines and tabs from being accepted in URLValidator on Python 3.9.5+. - django.git

diff options

author	Mariusz Felisiak <felisiak.mariusz@gmail.com>	2021-05-04 20:50:12 +0200
committer	Mariusz Felisiak <felisiak.mariusz@gmail.com>	2021-05-06 08:48:22 +0200
commit	2d2c1d0c97832860fbd6597977e2aae17dd7e5b2 (patch)
tree	b40ad19706a34770870288fd792f07b38c8a9f71 /django/__init__.py
parent	a937d7f2142eb6f987679efc82f2c74f47d17ce1 (diff)

[3.2.x] Fixed #32713, Fixed CVE-2021-32052 -- Prevented newlines and tabs from being accepted in URLValidator on Python 3.9.5+.

In Python 3.9.5+ urllib.parse() automatically removes ASCII newlines and tabs from URLs [1, 2]. Unfortunately it created an issue in the URLValidator. URLValidator uses urllib.urlsplit() and urllib.urlunsplit() for creating a URL variant with Punycode which no longer contains newlines and tabs in Python 3.9.5+. As a consequence, the regular expression matched the URL (without unsafe characters) and the source value (with unsafe characters) was considered valid. [1] https://bugs.python.org/issue43882 and [2] https://github.com/python/cpython/commit/76cd81d60310d65d01f9d7b48a8985d8ab89c8b4 Backport of e1e81aa1c4427411e3c68facdd761229ffea6f6f from main.

Diffstat (limited to 'django/__init__.py')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: