diff options
| author | Jacob Kaplan-Moss <jacob@jacobian.org> | 2009-10-09 20:59:05 +0000 |
|---|---|---|
| committer | Jacob Kaplan-Moss <jacob@jacobian.org> | 2009-10-09 20:59:05 +0000 |
| commit | e3e992e18b368fcd56aabafc1b5bf80a6e11b495 (patch) | |
| tree | 6c18272091c6b33f241e0e5ee27cfec9ddde8df1 /tests/regressiontests/forms/fields.py | |
| parent | 17173ac65af35683b8ca077a3a855eae1625ccd9 (diff) | |
[1.1.X] SECURITY ALERT: Corrected regular expressions for URL and email fields.
Certain email addresses/URLs could trigger a catastrophic backtracking
situation, causing 100% CPU and server overload. If deliberately triggered, this
could be the basis of a denial-of-service attack.
This security vulnerability was disclosed in public, so we're skipping our
normal security release process to get the fix out as soon as possible.
This is a security related update. A full announcement will follow.
git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.1.X@11604 bcc190cf-cafb-0310-a4f2-bffc1f526a37
Diffstat (limited to 'tests/regressiontests/forms/fields.py')
| -rw-r--r-- | tests/regressiontests/forms/fields.py | 33 |
1 files changed, 33 insertions, 0 deletions
diff --git a/tests/regressiontests/forms/fields.py b/tests/regressiontests/forms/fields.py index 9d9d7227b9..9d407d9ea7 100644 --- a/tests/regressiontests/forms/fields.py +++ b/tests/regressiontests/forms/fields.py @@ -767,6 +767,13 @@ u'example@valid-----hyphens.com' >>> f.clean('example@valid-with-hyphens.com') u'example@valid-with-hyphens.com' +# Check for runaway regex security problem. This will take for-freeking-ever +# if the security fix isn't in place. +>>> f.clean('viewx3dtextx26qx3d@yahoo.comx26latlngx3d15854521645943074058') +Traceback (most recent call last): + ... +ValidationError: [u'Enter a valid e-mail address.'] + >>> f = EmailField(required=False) >>> f.clean('') u'' @@ -972,6 +979,32 @@ ValidationError: [u'Enter a valid URL.'] Traceback (most recent call last): ... ValidationError: [u'Enter a valid URL.'] +>>> f.clean('.') +Traceback (most recent call last): +... +ValidationError: [u'Enter a valid URL.'] +>>> f.clean('com.') +Traceback (most recent call last): +... +ValidationError: [u'Enter a valid URL.'] +>>> f.clean('http://example.com.') +u'http://example.com./' +>>> f.clean('example.com.') +u'http://example.com./' + +# hangs "forever" if catastrophic backtracking in ticket:#11198 not fixed +>>> f.clean('http://%s' % ("X"*200,)) +Traceback (most recent call last): +... +ValidationError: [u'Enter a valid URL.'] + +# a second test, to make sure the problem is really addressed, even on +# domains that don't fail the domain label length check in the regex +>>> f.clean('http://%s' % ("X"*60,)) +Traceback (most recent call last): +... +ValidationError: [u'Enter a valid URL.'] + >>> f.clean('http://.com') Traceback (most recent call last): ... |