[6.0.x] Fixed CVE-2026-25673 -- Simplified URLField scheme detection. - django.git

diff options

author	Natalia <124304+nessita@users.noreply.github.com>	2026-01-29 22:52:41 -0300
committer	Natalia <124304+nessita@users.noreply.github.com>	2026-03-03 09:10:53 -0300
commit	b1444d9acf43db9de96e0da2b4737ad56af0eb76 (patch)
tree	e784213e3c584878234d5d9afabbba6a17abf552 /tests/staticfiles_tests/test_forms.py
parent	1b22d53bf67943cd193bbd6e327d955c19d2f5d2 (diff)

[6.0.x] Fixed CVE-2026-25673 -- Simplified URLField scheme detection.

This simplicaftion mitigates a potential DoS in URLField on Windows. The usage of `urlsplit()` in `URLField.to_python()` was replaced with `str.partition(":")` for URL scheme detection. On Windows, `urlsplit()` performs Unicode normalization which is slow for certain characters, making `URLField` vulnerable to DoS via specially crafted POST payloads. Thanks Seokchan Yoon for the report, and Jake Howard and Shai Berger for the review. Refs #36923. Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com> Backport of 951ffb3832cd83ba672c1e3deae2bda128eb9cca from main.

Diffstat (limited to 'tests/staticfiles_tests/test_forms.py')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: