[4.2.x] Fixed CVE-2026-25673 -- Simplified URLField scheme detection. - django.git

diff options

author	Natalia <124304+nessita@users.noreply.github.com>	2026-01-29 22:52:41 -0300
committer	Natalia <124304+nessita@users.noreply.github.com>	2026-03-03 09:22:17 -0300
commit	b3e8ec8cc310489fe80174b14b11edb970d682ea (patch)
tree	331fb2517ce3ade9cc2f44b3154e48678540b136 /tests/admin_views/admin.py
parent	e52ff00856cce3a2b05d244ee98dc2b8d9fcf3a9 (diff)

[4.2.x] Fixed CVE-2026-25673 -- Simplified URLField scheme detection.

This simplicaftion mitigates a potential DoS in URLField on Windows. The usage of `urlsplit()` in `URLField.to_python()` was replaced with `str.partition(":")` for URL scheme detection. On Windows, `urlsplit()` performs Unicode normalization which is slow for certain characters, making `URLField` vulnerable to DoS via specially crafted POST payloads. Thanks Seokchan Yoon for the report, and Jake Howard and Shai Berger for the review. Refs #36923. Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com> Backport of 951ffb3832cd83ba672c1e3deae2bda128eb9cca from main.

Diffstat (limited to 'tests/admin_views/admin.py')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: