diff options
| author | Tim Graham <timograham@gmail.com> | 2015-06-12 13:49:31 -0400 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2015-07-08 15:23:18 -0400 |
| commit | 574dd5e0b0fbb877ae5827b1603d298edc9bb2a0 (patch) | |
| tree | ca2631d21fd50573edd594770bdf2fe0f528768a /django/core/validators.py | |
| parent | 66d12d1ababa8f062857ee5eb43276493720bf16 (diff) | |
[1.8.x] Prevented newlines from being accepted in some validators.
This is a security fix; disclosure to follow shortly.
Thanks to Sjoerd Job Postmus for the report and draft patch.
Diffstat (limited to 'django/core/validators.py')
| -rw-r--r-- | django/core/validators.py | 27 |
1 files changed, 15 insertions, 12 deletions
diff --git a/django/core/validators.py b/django/core/validators.py index ac10d92956..f97b3d9772 100644 --- a/django/core/validators.py +++ b/django/core/validators.py @@ -83,7 +83,7 @@ class URLValidator(RegexValidator): r'(?:' + ipv4_re + '|' + ipv6_re + '|' + host_re + ')' r'(?::\d{2,5})?' # port r'(?:[/?#][^\s]*)?' # resource path - r'$', re.IGNORECASE) + r'\Z', re.IGNORECASE) message = _('Enter a valid URL.') schemes = ['http', 'https', 'ftp', 'ftps'] @@ -125,12 +125,15 @@ class URLValidator(RegexValidator): raise ValidationError(self.message, code=self.code) url = value +integer_validator = RegexValidator( + re.compile('^-?\d+\Z'), + message=_('Enter a valid integer.'), + code='invalid', +) + def validate_integer(value): - try: - int(value) - except (ValueError, TypeError): - raise ValidationError(_('Enter a valid integer.'), code='invalid') + return integer_validator(value) @deconstructible @@ -138,17 +141,17 @@ class EmailValidator(object): message = _('Enter a valid email address.') code = 'invalid' user_regex = re.compile( - r"(^[-!#$%&'*+/=?^_`{}|~0-9A-Z]+(\.[-!#$%&'*+/=?^_`{}|~0-9A-Z]+)*$" # dot-atom - r'|^"([\001-\010\013\014\016-\037!#-\[\]-\177]|\\[\001-\011\013\014\016-\177])*"$)', # quoted-string + r"(^[-!#$%&'*+/=?^_`{}|~0-9A-Z]+(\.[-!#$%&'*+/=?^_`{}|~0-9A-Z]+)*\Z" # dot-atom + r'|^"([\001-\010\013\014\016-\037!#-\[\]-\177]|\\[\001-\011\013\014\016-\177])*"\Z)', # quoted-string re.IGNORECASE) domain_regex = re.compile( # max length of the domain is 249: 254 (max email length) minus one # period, two characters for the TLD, @ sign, & one character before @. - r'(?:[A-Z0-9](?:[A-Z0-9-]{0,247}[A-Z0-9])?\.)+(?:[A-Z]{2,6}|[A-Z0-9-]{2,}(?<!-))$', + r'(?:[A-Z0-9](?:[A-Z0-9-]{0,247}[A-Z0-9])?\.)+(?:[A-Z]{2,6}|[A-Z0-9-]{2,}(?<!-))\Z', re.IGNORECASE) literal_regex = re.compile( # literal form, ipv4 or ipv6 address (SMTP 4.1.3) - r'\[([A-f0-9:\.]+)\]$', + r'\[([A-f0-9:\.]+)\]\Z', re.IGNORECASE) domain_whitelist = ['localhost'] @@ -206,14 +209,14 @@ class EmailValidator(object): validate_email = EmailValidator() -slug_re = re.compile(r'^[-a-zA-Z0-9_]+$') +slug_re = re.compile(r'^[-a-zA-Z0-9_]+\Z') validate_slug = RegexValidator( slug_re, _("Enter a valid 'slug' consisting of letters, numbers, underscores or hyphens."), 'invalid' ) -ipv4_re = re.compile(r'^(25[0-5]|2[0-4]\d|[0-1]?\d?\d)(\.(25[0-5]|2[0-4]\d|[0-1]?\d?\d)){3}$') +ipv4_re = re.compile(r'^(25[0-5]|2[0-4]\d|[0-1]?\d?\d)(\.(25[0-5]|2[0-4]\d|[0-1]?\d?\d)){3}\Z') validate_ipv4_address = RegexValidator(ipv4_re, _('Enter a valid IPv4 address.'), 'invalid') @@ -254,7 +257,7 @@ def ip_address_validators(protocol, unpack_ipv4): raise ValueError("The protocol '%s' is unknown. Supported: %s" % (protocol, list(ip_address_validator_map))) -comma_separated_int_list_re = re.compile('^[\d,]+$') +comma_separated_int_list_re = re.compile('^[\d,]+\Z') validate_comma_separated_integer_list = RegexValidator( comma_separated_int_list_re, _('Enter only digits separated by commas.'), |