[2.2.x] Fixed #30530, CVE-2021-44420 -- Fixed potential bypass of an upstream access control based on URL paths.

Thanks Sjoerd Job Postmus and TengMA(@te3t123) for reports. Backport of d4dcd5b9dd9e462fec8220e33e3e6c822b7e88a6 from main.
author: Florian Apolloner <florian@apolloner.eu> 2021-11-29 11:52:03 +0100
committer: Mariusz Felisiak <felisiak.mariusz@gmail.com> 2021-12-07 07:02:14 +0100
commit: 7cf7d74e8a754446eeb85cacf2fef1247e0cb6d7 (patch)
tree: 30f258d28a98578c1ffc6c7a4a8b6f411759b509 /tests/urlpatterns
parent: 0007a5f9fa21bf6fda5e0a701511b95edefdb0ac (diff)
1 files changed, 13 insertions, 0 deletions
diff --git a/tests/urlpatterns/tests.py b/tests/urlpatterns/tests.py
index f696cd531d..38b4392adc 100644
--- a/tests/urlpatterns/tests.py
+++ b/tests/urlpatterns/tests.py
@@ -116,6 +116,19 @@ class SimplifiedURLTests(SimpleTestCase):
         with self.assertRaisesMessage(ImproperlyConfigured, msg):
             path('foo/<nonexistent:var>/', empty_view)
 
+    def test_path_trailing_newlines(self):
+        tests = [
+            '/articles/2003/\n',
+            '/articles/2010/\n',
+            '/en/foo/\n',
+            '/included_urls/extra/\n',
+            '/regex/1/\n',
+            '/users/1/\n',
+        ]
+        for url in tests:
+            with self.subTest(url=url), self.assertRaises(Resolver404):
+                resolve(url)
+
 
 @override_settings(ROOT_URLCONF='urlpatterns.converter_urls')
 class ConverterTests(SimpleTestCase):
author	Florian Apolloner <florian@apolloner.eu>	2021-11-29 11:52:03 +0100
committer	Mariusz Felisiak <felisiak.mariusz@gmail.com>	2021-12-07 07:02:14 +0100
commit	7cf7d74e8a754446eeb85cacf2fef1247e0cb6d7 (patch)
tree	30f258d28a98578c1ffc6c7a4a8b6f411759b509 /tests/urlpatterns
parent	0007a5f9fa21bf6fda5e0a701511b95edefdb0ac (diff)