diff options
| author | Nick Pope <nick@nickpope.me.uk> | 2023-01-25 12:21:48 +0100 |
|---|---|---|
| committer | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2023-02-01 09:48:18 +0100 |
| commit | c7e0151fdf33e1b11d488b6f67b94fdf3a30614a (patch) | |
| tree | 0f0ccd90e4a1664c935d09e2f9daf26bb3f38d85 /tests/i18n/tests.py | |
| parent | 9da46345d83e5d9ecb60512efb2d2e0b2b02b974 (diff) | |
[3.2.x] Fixed CVE-2023-23969 -- Prevented DoS with pathological values for Accept-Language.
The parsed values of Accept-Language headers are cached in order to
avoid repetitive parsing. This leads to a potential denial-of-service
vector via excessive memory usage if the raw value of Accept-Language
headers is very large.
Accept-Language headers are now limited to a maximum length in order
to avoid this issue.
Diffstat (limited to 'tests/i18n/tests.py')
| -rw-r--r-- | tests/i18n/tests.py | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/tests/i18n/tests.py b/tests/i18n/tests.py index 4c31c3bc66..41ec63da99 100644 --- a/tests/i18n/tests.py +++ b/tests/i18n/tests.py @@ -1352,6 +1352,14 @@ class MiscTests(SimpleTestCase): ('de;q=0.', [('de', 0.0)]), ('en; q=1,', [('en', 1.0)]), ('en; q=1.0, * ; q=0.5', [('en', 1.0), ('*', 0.5)]), + ( + 'en' + '-x' * 20, + [('en-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x', 1.0)], + ), + ( + ', '.join(['en; q=1.0'] * 20), + [('en', 1.0)] * 20, + ), # Bad headers ('en-gb;q=1.0000', []), ('en;q=0.1234', []), @@ -1367,6 +1375,10 @@ class MiscTests(SimpleTestCase): ('12-345', []), ('', []), ('en;q=1e0', []), + # Invalid as language-range value too long. + ('xxxxxxxx' + '-xxxxxxxx' * 500, []), + # Header value too long, only parse up to limit. + (', '.join(['en; q=1.0'] * 500), [('en', 1.0)] * 45), ] for value, expected in tests: with self.subTest(value=value): |