mirror of
				https://github.com/django/django.git
				synced 2025-10-26 15:16:09 +00:00 
			
		
		
		
	[1.8.x] Fixed catastrophic backtracking in URLValidator.
Thanks João Silva for reporting the problem and Tim Graham for finding the problematic RE and for review. This is a security fix; disclosure to follow shortly.
This commit is contained in:
		| @@ -73,7 +73,7 @@ class URLValidator(RegexValidator): | |||||||
|  |  | ||||||
|     # Host patterns |     # Host patterns | ||||||
|     hostname_re = r'[a-z' + ul + r'0-9](?:[a-z' + ul + r'0-9-]*[a-z' + ul + r'0-9])?' |     hostname_re = r'[a-z' + ul + r'0-9](?:[a-z' + ul + r'0-9-]*[a-z' + ul + r'0-9])?' | ||||||
|     domain_re = r'(?:\.[a-z' + ul + r'0-9]+(?:[a-z' + ul + r'0-9-]*[a-z' + ul + r'0-9]+)*)*' |     domain_re = r'(?:\.(?!-)[a-z' + ul + r'0-9-]*(?<!-))*' | ||||||
|     tld_re = r'\.(?:[a-z' + ul + r']{2,}|xn--[a-z0-9]+)\.?' |     tld_re = r'\.(?:[a-z' + ul + r']{2,}|xn--[a-z0-9]+)\.?' | ||||||
|     host_re = '(' + hostname_re + domain_re + tld_re + '|localhost)' |     host_re = '(' + hostname_re + domain_re + tld_re + '|localhost)' | ||||||
|  |  | ||||||
|   | |||||||
| @@ -60,6 +60,13 @@ The undocumented, internally unused ``validate_integer()`` function is now | |||||||
| stricter as it validates using a regular expression instead of simply casting | stricter as it validates using a regular expression instead of simply casting | ||||||
| the value using ``int()`` and checking if an exception was raised. | the value using ``int()`` and checking if an exception was raised. | ||||||
|  |  | ||||||
|  | Denial-of-service possibility in URL validation | ||||||
|  | =============================================== | ||||||
|  |  | ||||||
|  | :class:`~django.core.validators.URLValidator` included a regular expression | ||||||
|  | that was extremely slow to evaluate against certain invalid inputs. This regular | ||||||
|  | expression has been simplified and optimized. | ||||||
|  |  | ||||||
| Bugfixes | Bugfixes | ||||||
| ======== | ======== | ||||||
|  |  | ||||||
|   | |||||||
| @@ -35,6 +35,8 @@ http://foo.bar/foo(bar)baz quux | |||||||
| http://-error-.invalid/ | http://-error-.invalid/ | ||||||
| http://-a.b.co | http://-a.b.co | ||||||
| http://a.b-.co | http://a.b-.co | ||||||
|  | http://a.-b.co | ||||||
|  | http://a.b-.c.co | ||||||
| http:/ | http:/ | ||||||
| http:// | http:// | ||||||
| http:// | http:// | ||||||
|   | |||||||
| @@ -172,6 +172,9 @@ TEST_DATA = [ | |||||||
|     # Trailing newlines not accepted |     # Trailing newlines not accepted | ||||||
|     (URLValidator(), 'http://www.djangoproject.com/\n', ValidationError), |     (URLValidator(), 'http://www.djangoproject.com/\n', ValidationError), | ||||||
|     (URLValidator(), 'http://[::ffff:192.9.5.5]\n', ValidationError), |     (URLValidator(), 'http://[::ffff:192.9.5.5]\n', ValidationError), | ||||||
|  |     # Trailing junk does not take forever to reject | ||||||
|  |     (URLValidator(), 'http://www.asdasdasdasdsadfm.com.br ', ValidationError), | ||||||
|  |     (URLValidator(), 'http://www.asdasdasdasdsadfm.com.br z', ValidationError), | ||||||
|  |  | ||||||
|     (BaseValidator(True), True, None), |     (BaseValidator(True), True, None), | ||||||
|     (BaseValidator(True), False, ValidationError), |     (BaseValidator(True), False, ValidationError), | ||||||
|   | |||||||
| @@ -7,6 +7,7 @@ http://www.example.com/ | |||||||
| http://www.example.com:8000/test | http://www.example.com:8000/test | ||||||
| http://valid-with-hyphens.com/ | http://valid-with-hyphens.com/ | ||||||
| http://subdomain.example.com/ | http://subdomain.example.com/ | ||||||
|  | http://a.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa | ||||||
| http://200.8.9.10/ | http://200.8.9.10/ | ||||||
| http://200.8.9.10:8000/test | http://200.8.9.10:8000/test | ||||||
| http://su--b.valid-----hyphens.com/ | http://su--b.valid-----hyphens.com/ | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user