diff options
| author | Shai Berger <shai@platonix.com> | 2015-06-30 01:09:21 +0300 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2015-07-08 15:23:19 -0400 |
| commit | 8f9a4d3a2bc42f14bb437defd30c7315adbff22c (patch) | |
| tree | 00552e5bf72b45186b14aadc17aa63e2073e6617 /django | |
| parent | 574dd5e0b0fbb877ae5827b1603d298edc9bb2a0 (diff) | |
[1.8.x] Fixed catastrophic backtracking in URLValidator.
Thanks João Silva for reporting the problem and Tim Graham for finding the
problematic RE and for review.
This is a security fix; disclosure to follow shortly.
Diffstat (limited to 'django')
| -rw-r--r-- | django/core/validators.py | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/django/core/validators.py b/django/core/validators.py index f97b3d9772..cd5b16b207 100644 --- a/django/core/validators.py +++ b/django/core/validators.py @@ -73,7 +73,7 @@ class URLValidator(RegexValidator): # Host patterns hostname_re = r'[a-z' + ul + r'0-9](?:[a-z' + ul + r'0-9-]*[a-z' + ul + r'0-9])?' - domain_re = r'(?:\.[a-z' + ul + r'0-9]+(?:[a-z' + ul + r'0-9-]*[a-z' + ul + r'0-9]+)*)*' + domain_re = r'(?:\.(?!-)[a-z' + ul + r'0-9-]*(?<!-))*' tld_re = r'\.(?:[a-z' + ul + r']{2,}|xn--[a-z0-9]+)\.?' host_re = '(' + hostname_re + domain_re + tld_re + '|localhost)' |