[5.2.x] Fixed CVE-2026-25673 -- Simplified URLField scheme detection. - django.git

diff options

author	Natalia <124304+nessita@users.noreply.github.com>	2026-01-29 22:52:41 -0300
committer	Natalia <124304+nessita@users.noreply.github.com>	2026-03-03 09:16:53 -0300
commit	4d3c184686626d224d9a87451410ecf802b41f7c (patch)
tree	36d87c1b19f5c5a579bc4c5f65bd6f1e57d524a7 /django/core/files/storage/filesystem.py
parent	94e7f17e0e507a14f30a30f4af2b0213fd9675fc (diff)

[5.2.x] Fixed CVE-2026-25673 -- Simplified URLField scheme detection.

This simplicaftion mitigates a potential DoS in URLField on Windows. The usage of `urlsplit()` in `URLField.to_python()` was replaced with `str.partition(":")` for URL scheme detection. On Windows, `urlsplit()` performs Unicode normalization which is slow for certain characters, making `URLField` vulnerable to DoS via specially crafted POST payloads. Thanks Seokchan Yoon for the report, and Jake Howard and Shai Berger for the review. Refs #36923. Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com> Backport of 951ffb3832cd83ba672c1e3deae2bda128eb9cca from main.

Diffstat (limited to 'django/core/files/storage/filesystem.py')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: