mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-10-24 06:06:09 +00:00
Code Issues 32 Releases Wiki Activity

SECURITY ALERT: Corrected regular expressions for URL and email fields.

Browse Source 
Certain email addresses/URLs could trigger a catastrophic backtracking situation, causing 100% CPU and server overload. If deliberately triggered, this could be the basis of a denial-of-service attack.

This security vulnerability was disclosed in public, so we're skipping our
normal security release process to get the fix out as soon as possible.

This is a security related update. A full announcement, as well as backports for the 1.1.X and 1.0.X series will follow.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@11603 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
Jacob Kaplan-Moss
2009-10-09 20:57:59 +00:00
parent 8aee95ca3e
commit 9f8287a3f1
2 changed files with 35 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

33
tests/regressiontests/forms/fields.py
View File

@@ -767,6 +767,13 @@ u'example@valid-----hyphens.com'
>>> f.clean('example@valid-with-hyphens.com')
u'example@valid-with-hyphens.com'
# Check for runaway regex security problem. This will take for-freeking-ever
# if the security fix isn't in place.
>>> f.clean('viewx3dtextx26qx3d@yahoo.comx26latlngx3d15854521645943074058')
Traceback (most recent call last):
...
ValidationError: [u'Enter a valid e-mail address.']
>>> f = EmailField(required=False)
>>> f.clean('')
u''
@@ -972,6 +979,32 @@ ValidationError: [u'Enter a valid URL.']
Traceback (most recent call last):
...
ValidationError: [u'Enter a valid URL.']
>>> f.clean('.')
Traceback (most recent call last):
...
ValidationError: [u'Enter a valid URL.']
>>> f.clean('com.')
Traceback (most recent call last):
...
ValidationError: [u'Enter a valid URL.']
>>> f.clean('http://example.com.')
u'http://example.com./'
>>> f.clean('example.com.')
u'http://example.com./'
# hangs "forever" if catastrophic backtracking in ticket:#11198 not fixed
>>> f.clean('http://%s' % ("X"*200,))
Traceback (most recent call last):
...
ValidationError: [u'Enter a valid URL.']
# a second test, to make sure the problem is really addressed, even on
# domains that don't fail the domain label length check in the regex
>>> f.clean('http://%s' % ("X"*60,))
Traceback (most recent call last):
...
ValidationError: [u'Enter a valid URL.']
>>> f.clean('http://.com')
Traceback (most recent call last):
...