diff options
| author | Natalia <124304+nessita@users.noreply.github.com> | 2026-01-29 22:52:41 -0300 |
|---|---|---|
| committer | Natalia <124304+nessita@users.noreply.github.com> | 2026-03-03 09:22:17 -0300 |
| commit | b3e8ec8cc310489fe80174b14b11edb970d682ea (patch) | |
| tree | 331fb2517ce3ade9cc2f44b3154e48678540b136 /docs | |
| parent | e52ff00856cce3a2b05d244ee98dc2b8d9fcf3a9 (diff) | |
[4.2.x] Fixed CVE-2026-25673 -- Simplified URLField scheme detection.
This simplicaftion mitigates a potential DoS in URLField on Windows. The
usage of `urlsplit()` in `URLField.to_python()` was replaced with
`str.partition(":")` for URL scheme detection. On Windows, `urlsplit()`
performs Unicode normalization which is slow for certain characters,
making `URLField` vulnerable to DoS via specially crafted POST payloads.
Thanks Seokchan Yoon for the report, and Jake Howard and Shai Berger
for the review.
Refs #36923.
Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com>
Backport of 951ffb3832cd83ba672c1e3deae2bda128eb9cca from main.
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/releases/4.2.29.txt | 22 |
1 files changed, 22 insertions, 0 deletions
diff --git a/docs/releases/4.2.29.txt b/docs/releases/4.2.29.txt index a3f3787cd6..b780264929 100644 --- a/docs/releases/4.2.29.txt +++ b/docs/releases/4.2.29.txt @@ -6,3 +6,25 @@ Django 4.2.29 release notes Django 4.2.29 fixes a security issue with severity "moderate" and a security issue with severity "low" in 4.2.28. + +CVE-2026-25673: Potential denial-of-service vulnerability in ``URLField`` via Unicode normalization on Windows +============================================================================================================== + +The :class:`~django.forms.URLField` form field's ``to_python()`` method used +:func:`~urllib.parse.urlsplit` to determine whether to prepend a URL scheme to +the submitted value. On Windows, ``urlsplit()`` performs +:func:`NFKC normalization <python:unicodedata.normalize>`, which can be +disproportionately slow for large inputs containing certain characters. + +``URLField.to_python()`` now uses a simplified scheme detection, avoiding +Unicode normalization entirely and deferring URL validation to the appropriate +layers. As a result, while leading and trailing whitespace is still stripped by +default, characters such as newlines, tabs, and other control characters within +the value are no longer handled by ``URLField.to_python()``. When using the +default :class:`~django.core.validators.URLValidator`, these values will +continue to raise :exc:`~django.core.exceptions.ValidationError` during +validation, but if you rely on custom validators, ensure they do not depend on +the previous behavior of ``URLField.to_python()``. + +This issue has severity "moderate" according to the :ref:`Django security +policy <security-disclosure>`. |