[1.1.X] SECURITY ALERT: Corrected regular expressions for URL and email fields.

Certain email addresses/URLs could trigger a catastrophic backtracking
situation, causing 100% CPU and server overload. If deliberately triggered, this
could be the basis of a denial-of-service attack.

This security vulnerability was disclosed in public, so we're skipping our
normal security release process to get the fix out as soon as possible.

This is a security related update. A full announcement will follow.



git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.1.X@11604 bcc190cf-cafb-0310-a4f2-bffc1f526a37

1 files changed, 2 insertions, 2 deletions

diff --git a/django/forms/fields.py b/django/forms/fields.py
index 14faf2fc36..0aef355d0f 100644
--- a/django/forms/fields.py
+++ b/django/forms/fields.py
@@ -421,7 +421,7 @@ class RegexField(CharField):
 email_re = re.compile(
     r"(^[-!#$%&'*+/=?^_`{}|~0-9A-Z]+(\.[-!#$%&'*+/=?^_`{}|~0-9A-Z]+)*"  # dot-atom
     r'|^"([\001-\010\013\014\016-\037!#-\[\]-\177]|\\[\001-011\013\014\016-\177])*"' # quoted-string
-    r')@(?:[A-Z0-9]+(?:-*[A-Z0-9]+)*\.)+[A-Z]{2,6}$', re.IGNORECASE)  # domain
+    r')@(?:[A-Z0-9](?:[A-Z0-9-]{0,61}[A-Z0-9])?\.)+[A-Z]{2,6}\.?$', re.IGNORECASE)  # domain
 
 class EmailField(RegexField):
     default_error_messages = {
@@ -532,7 +532,7 @@ class ImageField(FileField):
 
 url_re = re.compile(
     r'^https?://' # http:// or https://
-    r'(?:(?:[A-Z0-9]+(?:-*[A-Z0-9]+)*\.)+[A-Z]{2,6}|' #domain...
+    r'(?:(?:[A-Z0-9](?:[A-Z0-9-]{0,61}[A-Z0-9])?\.)+[A-Z]{2,6}\.?|' #domain...
     r'localhost|' #localhost...
     r'\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})' # ...or ip
     r'(?::\d+)?' # optional port