[2.2.x] Fixed #30530, CVE-2021-44420 -- Fixed potential bypass of an upstream access control based on URL paths.

Thanks Sjoerd Job Postmus and TengMA(@te3t123) for reports. Backport of d4dcd5b9dd9e462fec8220e33e3e6c822b7e88a6 from main.
author: Florian Apolloner <florian@apolloner.eu> 2021-11-29 11:52:03 +0100
committer: Mariusz Felisiak <felisiak.mariusz@gmail.com> 2021-12-07 07:02:14 +0100
commit: 7cf7d74e8a754446eeb85cacf2fef1247e0cb6d7 (patch)
tree: 30f258d28a98578c1ffc6c7a4a8b6f411759b509 /django/urls/resolvers.py
parent: 0007a5f9fa21bf6fda5e0a701511b95edefdb0ac (diff)
1 files changed, 6 insertions, 2 deletions
diff --git a/django/urls/resolvers.py b/django/urls/resolvers.py
index 5b722474c9..3f8f6c00ea 100644
--- a/django/urls/resolvers.py
+++ b/django/urls/resolvers.py
@@ -147,7 +147,11 @@ class RegexPattern(CheckURLMixin):
         self.converters = {}
 
     def match(self, path):
-        match = self.regex.search(path)
+        match = (
+            self.regex.fullmatch(path)
+            if self._is_endpoint and self.regex.pattern.endswith('$')
+            else self.regex.search(path)
+        )
         if match:
             # If there are any named groups, use those as kwargs, ignoring
             # non-named groups. Otherwise, pass all non-named arguments as
@@ -230,7 +234,7 @@ def _route_to_regex(route, is_endpoint=False):
         converters[parameter] = converter
         parts.append('(?P<' + parameter + '>' + converter.regex + ')')
     if is_endpoint:
-        parts.append('$')
+        parts.append(r'\Z')
     return ''.join(parts), converters
author	Florian Apolloner <florian@apolloner.eu>	2021-11-29 11:52:03 +0100
committer	Mariusz Felisiak <felisiak.mariusz@gmail.com>	2021-12-07 07:02:14 +0100
commit	7cf7d74e8a754446eeb85cacf2fef1247e0cb6d7 (patch)
tree	30f258d28a98578c1ffc6c7a4a8b6f411759b509 /django/urls/resolvers.py
parent	0007a5f9fa21bf6fda5e0a701511b95edefdb0ac (diff)