Prevented newlines from being accepted in some validators.

This is a security fix; disclosure to follow shortly. Thanks to Sjoerd Job Postmus for the report and draft patch.
2025-10-23 21:59:11 +00:00 · 2015-06-12 13:49:31 -04:00
parent df049ed77a
commit 014247ad19
5 changed files with 111 additions and 13 deletions
--- a/tests/validators/tests.py
+++ b/tests/validators/tests.py
@@ -28,10 +28,12 @@ TEST_DATA = [
    (validate_integer, '42', None),
    (validate_integer, '-42', None),
    (validate_integer, -42, None),
-    (validate_integer, -42.5, None),

+    (validate_integer, -42.5, ValidationError),
    (validate_integer, None, ValidationError),
    (validate_integer, 'a', ValidationError),
+    (validate_integer, '\n42', ValidationError),
+    (validate_integer, '42\n', ValidationError),

    (validate_email, 'email@here.com', None),
    (validate_email, 'weirder-email@here.and.there.com', None),
@@ -77,6 +79,11 @@ TEST_DATA = [
    # Max length of domain name labels is 63 characters per RFC 1034.
    (validate_email, 'a@%s.us' % ('a' * 63), None),
    (validate_email, 'a@%s.us' % ('a' * 64), ValidationError),
+    # Trailing newlines in username or domain not allowed
+    (validate_email, 'a@b.com\n', ValidationError),
+    (validate_email, 'a\n@b.com', ValidationError),
+    (validate_email, '"test@test"\n@example.com', ValidationError),
+    (validate_email, 'a@[127.0.0.1]\n', ValidationError),

    (validate_slug, 'slug-ok', None),
    (validate_slug, 'longer-slug-still-ok', None),
@@ -89,6 +96,7 @@ TEST_DATA = [
    (validate_slug, 'some@mail.com', ValidationError),
    (validate_slug, '你好', ValidationError),
    (validate_slug, '\n', ValidationError),
+    (validate_slug, 'trailing-newline\n', ValidationError),

    (validate_ipv4_address, '1.1.1.1', None),
    (validate_ipv4_address, '255.0.0.0', None),
@@ -98,6 +106,7 @@ TEST_DATA = [
    (validate_ipv4_address, '25.1.1.', ValidationError),
    (validate_ipv4_address, '25,1,1,1', ValidationError),
    (validate_ipv4_address, '25.1 .1.1', ValidationError),
+    (validate_ipv4_address, '1.1.1.1\n', ValidationError),

    # validate_ipv6_address uses django.utils.ipv6, which
    # is tested in much greater detail in its own testcase
@@ -142,6 +151,7 @@ TEST_DATA = [

    (int_list_validator(sep='.'), '1.2.3', None),
    (int_list_validator(sep='.'), '1,2,3', ValidationError),
+    (int_list_validator(sep='.'), '1.2.3\n', ValidationError),

    (MaxValueValidator(10), 10, None),
    (MaxValueValidator(10), -10, None),
@@ -175,6 +185,9 @@ TEST_DATA = [
    (URLValidator(EXTENDED_SCHEMES), 'git://example.com/', None),

    (URLValidator(EXTENDED_SCHEMES), 'git://-invalid.com', ValidationError),
+    # Trailing newlines not accepted
+    (URLValidator(), 'http://www.djangoproject.com/\n', ValidationError),
+    (URLValidator(), 'http://[::ffff:192.9.5.5]\n', ValidationError),

    (BaseValidator(True), True, None),
    (BaseValidator(True), False, ValidationError),