diff options
| author | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2021-05-04 20:50:12 +0200 |
|---|---|---|
| committer | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2021-05-06 08:53:27 +0200 |
| commit | d9594c4ea57b6309d93879805302cec9ae9f23ff (patch) | |
| tree | f9ca2e6002625d83d4def0a0a25546a0cbab1d59 /tests/validators/tests.py | |
| parent | 163700388cda2305c8dbcdb3ac1542a442f3e955 (diff) | |
[2.2.x] Fixed #32713, Fixed CVE-2021-32052 -- Prevented newlines and tabs from being accepted in URLValidator on Python 3.9.5+.
In Python 3.9.5+ urllib.parse() automatically removes ASCII newlines
and tabs from URLs [1, 2]. Unfortunately it created an issue in
the URLValidator. URLValidator uses urllib.urlsplit() and
urllib.urlunsplit() for creating a URL variant with Punycode which no
longer contains newlines and tabs in Python 3.9.5+. As a consequence,
the regular expression matched the URL (without unsafe characters) and
the source value (with unsafe characters) was considered valid.
[1] https://bugs.python.org/issue43882 and
[2] https://github.com/python/cpython/commit/76cd81d60310d65d01f9d7b48a8985d8ab89c8b4
Backport of e1e81aa1c4427411e3c68facdd761229ffea6f6f from main.
Diffstat (limited to 'tests/validators/tests.py')
| -rw-r--r-- | tests/validators/tests.py | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/tests/validators/tests.py b/tests/validators/tests.py index 36d0b2a520..012b098f4e 100644 --- a/tests/validators/tests.py +++ b/tests/validators/tests.py @@ -222,9 +222,15 @@ TEST_DATA = [ (URLValidator(EXTENDED_SCHEMES), 'git+ssh://git@github.com/example/hg-git.git', None), (URLValidator(EXTENDED_SCHEMES), 'git://-invalid.com', ValidationError), - # Trailing newlines not accepted + # Newlines and tabs are not accepted. (URLValidator(), 'http://www.djangoproject.com/\n', ValidationError), (URLValidator(), 'http://[::ffff:192.9.5.5]\n', ValidationError), + (URLValidator(), 'http://www.djangoproject.com/\r', ValidationError), + (URLValidator(), 'http://[::ffff:192.9.5.5]\r', ValidationError), + (URLValidator(), 'http://www.django\rproject.com/', ValidationError), + (URLValidator(), 'http://[::\rffff:192.9.5.5]', ValidationError), + (URLValidator(), 'http://\twww.djangoproject.com/', ValidationError), + (URLValidator(), 'http://\t[::ffff:192.9.5.5]', ValidationError), # Trailing junk does not take forever to reject (URLValidator(), 'http://www.asdasdasdasdsadfm.com.br ', ValidationError), (URLValidator(), 'http://www.asdasdasdasdsadfm.com.br z', ValidationError), |