diff options
| author | Natalia <124304+nessita@users.noreply.github.com> | 2026-01-29 22:52:41 -0300 |
|---|---|---|
| committer | Natalia <124304+nessita@users.noreply.github.com> | 2026-03-03 09:16:53 -0300 |
| commit | 4d3c184686626d224d9a87451410ecf802b41f7c (patch) | |
| tree | 36d87c1b19f5c5a579bc4c5f65bd6f1e57d524a7 /tests | |
| parent | 94e7f17e0e507a14f30a30f4af2b0213fd9675fc (diff) | |
[5.2.x] Fixed CVE-2026-25673 -- Simplified URLField scheme detection.
This simplicaftion mitigates a potential DoS in URLField on Windows. The
usage of `urlsplit()` in `URLField.to_python()` was replaced with
`str.partition(":")` for URL scheme detection. On Windows, `urlsplit()`
performs Unicode normalization which is slow for certain characters,
making `URLField` vulnerable to DoS via specially crafted POST payloads.
Thanks Seokchan Yoon for the report, and Jake Howard and Shai Berger
for the review.
Refs #36923.
Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com>
Backport of 951ffb3832cd83ba672c1e3deae2bda128eb9cca from main.
Diffstat (limited to 'tests')
| -rw-r--r-- | tests/forms_tests/field_tests/test_urlfield.py | 88 |
1 files changed, 85 insertions, 3 deletions
diff --git a/tests/forms_tests/field_tests/test_urlfield.py b/tests/forms_tests/field_tests/test_urlfield.py index 54bc7c5e46..88ee267b1e 100644 --- a/tests/forms_tests/field_tests/test_urlfield.py +++ b/tests/forms_tests/field_tests/test_urlfield.py @@ -3,8 +3,9 @@ from types import ModuleType from django.conf import FORMS_URLFIELD_ASSUME_HTTPS_DEPRECATED_MSG, Settings, settings from django.core.exceptions import ValidationError +from django.core.validators import URLValidator from django.forms import URLField -from django.test import SimpleTestCase, ignore_warnings +from django.test import SimpleTestCase, ignore_warnings, override_settings from django.utils.deprecation import RemovedInDjango60Warning from . import FormFieldAssertionsMixin @@ -80,6 +81,16 @@ class URLFieldTest(FormFieldAssertionsMixin, SimpleTestCase): # IPv6. ("http://[12:34::3a53]/", "http://[12:34::3a53]/"), ("http://[a34:9238::]:8080/", "http://[a34:9238::]:8080/"), + # IPv6 without scheme. + ("[12:34::3a53]/", "https://[12:34::3a53]/"), + # IDN domain without scheme but with port. + ("ñandú.es:8080/", "https://ñandú.es:8080/"), + # Scheme-relative. + ("//example.com", "https://example.com"), + ("//example.com/path", "https://example.com/path"), + # Whitespace stripped. + ("\t\n//example.com \n\t\n", "https://example.com"), + ("\t\nhttp://example.com \n\t\n", "http://example.com"), ] for url, expected in tests: with self.subTest(url=url): @@ -110,10 +121,19 @@ class URLFieldTest(FormFieldAssertionsMixin, SimpleTestCase): # even on domains that don't fail the domain label length check in # the regex. "http://%s" % ("X" * 200,), - # urlsplit() raises ValueError. + # Scheme prepend yields a structurally invalid URL. "////]@N.AN", - # Empty hostname. + # Scheme prepend yields an empty hostname. "#@A.bO", + # Known problematic unicode chars. + "http://" + "¾" * 200, + # Non-ASCII character before the first colon. + "¾:example.com", + # ASCII digit before the first colon. + "1http://example.com", + # Empty scheme. + "://example.com", + ":example.com", ] msg = "'Enter a valid URL.'" for value in tests: @@ -154,6 +174,68 @@ class URLFieldTest(FormFieldAssertionsMixin, SimpleTestCase): f = URLField(assume_scheme="https") self.assertEqual(f.clean("example.com"), "https://example.com") + @override_settings(FORMS_URLFIELD_ASSUME_HTTPS=True) + def test_urlfield_assume_scheme_when_colons(self): + f = URLField() + tests = [ + # Port number. + ("http://example.com:8080/", "http://example.com:8080/"), + ("https://example.com:443/path", "https://example.com:443/path"), + # Userinfo with password. + ("http://user:pass@example.com", "http://user:pass@example.com"), + ( + "http://user:pass@example.com:8080/", + "http://user:pass@example.com:8080/", + ), + # Colon in path segment. + ("http://example.com/path:segment", "http://example.com/path:segment"), + ("http://example.com/a:b/c:d", "http://example.com/a:b/c:d"), + # Colon in query string. + ("http://example.com/?key=val:ue", "http://example.com/?key=val:ue"), + # Colon in fragment. + ("http://example.com/#section:1", "http://example.com/#section:1"), + # IPv6 -- multiple colons in host. + ("http://[::1]/", "http://[::1]/"), + ("http://[2001:db8::1]/", "http://[2001:db8::1]/"), + ("http://[2001:db8::1]:8080/", "http://[2001:db8::1]:8080/"), + # Colons across multiple components. + ( + "http://user:pass@example.com:8080/path:x?q=a:b#id:1", + "http://user:pass@example.com:8080/path:x?q=a:b#id:1", + ), + # FTP with port and userinfo. + ( + "ftp://user:pass@ftp.example.com:21/file", + "ftp://user:pass@ftp.example.com:21/file", + ), + ( + "ftps://user:pass@ftp.example.com:990/", + "ftps://user:pass@ftp.example.com:990/", + ), + # Scheme-relative URLs, starts with "//". + ("//example.com:8080/path", "https://example.com:8080/path"), + ("//user:pass@example.com/", "https://user:pass@example.com/"), + ] + for value, expected in tests: + with self.subTest(value=value): + self.assertEqual(f.clean(value), expected) + + def test_custom_validator_longer_max_length(self): + + class CustomLongURLValidator(URLValidator): + max_length = 4096 + + class CustomURLField(URLField): + default_validators = [CustomLongURLValidator()] + + field = CustomURLField() + # A URL with 4096 chars is valid given the custom validator. + prefix = "https://example.com/" + url = prefix + "a" * (4096 - len(prefix)) + self.assertEqual(len(url), 4096) + # No ValidationError is raised. + field.clean(url) + class URLFieldAssumeSchemeDeprecationTest(FormFieldAssertionsMixin, SimpleTestCase): def test_urlfield_raises_warning(self): |