diff options
| author | Adam Johnson <me@adamj.eu> | 2022-09-02 09:44:05 +0100 |
|---|---|---|
| committer | Carlton Gibson <carlton.gibson@noumenal.es> | 2022-09-27 10:26:46 +0200 |
| commit | 23f0093125ac2e553da6c1b2f9988eb6a3dd2ea1 (patch) | |
| tree | 4aeab28badf4b6ea23985f542aeda9b6773488ef | |
| parent | 4a30e0db269a364cb480f48524fa48e6abcf9e94 (diff) | |
| download | django-23f0093125ac2e553da6c1b2f9988eb6a3dd2ea1.tar.gz | |
[4.0.x] Fixed CVE-2022-41323 -- Prevented locales being interpreted as regular expressions.
Thanks to Benjamin Balder Bach for the report.
| -rw-r--r-- | django/urls/resolvers.py | 2 | ||||
| -rw-r--r-- | docs/releases/3.2.16.txt | 6 | ||||
| -rw-r--r-- | docs/releases/4.0.8.txt | 6 | ||||
| -rw-r--r-- | tests/i18n/patterns/tests.py | 6 |
4 files changed, 17 insertions, 3 deletions
diff --git a/django/urls/resolvers.py b/django/urls/resolvers.py index 26c9884e18..633eba272c 100644 --- a/django/urls/resolvers.py +++ b/django/urls/resolvers.py @@ -338,7 +338,7 @@ class LocalePrefixPattern: @property def regex(self): # This is only used by reverse() and cached in _reverse_dict. - return re.compile(self.language_prefix) + return re.compile(re.escape(self.language_prefix)) @property def language_prefix(self): diff --git a/docs/releases/3.2.16.txt b/docs/releases/3.2.16.txt index 3769d0837c..da0a6c4ed4 100644 --- a/docs/releases/3.2.16.txt +++ b/docs/releases/3.2.16.txt @@ -6,4 +6,8 @@ Django 3.2.16 release notes Django 3.2.16 fixes a security issue with severity "medium" in 3.2.15. -... +CVE-2022-41323: Potential denial-of-service vulnerability in internationalized URLs +=================================================================================== + +Internationalized URLs were subject to potential denial of service attack via +the locale parameter. diff --git a/docs/releases/4.0.8.txt b/docs/releases/4.0.8.txt index 602fe0a76a..b057eaa1ea 100644 --- a/docs/releases/4.0.8.txt +++ b/docs/releases/4.0.8.txt @@ -6,4 +6,8 @@ Django 4.0.8 release notes Django 4.0.8 fixes a security issue with severity "medium" in 4.0.7. -... +CVE-2022-41323: Potential denial-of-service vulnerability in internationalized URLs +=================================================================================== + +Internationalized URLs were subject to potential denial of service attack via +the locale parameter. diff --git a/tests/i18n/patterns/tests.py b/tests/i18n/patterns/tests.py index db04e9a1a4..73a7619dfe 100644 --- a/tests/i18n/patterns/tests.py +++ b/tests/i18n/patterns/tests.py @@ -198,6 +198,12 @@ class URLTranslationTests(URLTestCaseBase): self.assertEqual(translate_url("/nl/gebruikers/", "en"), "/en/users/") self.assertEqual(translation.get_language(), "nl") + def test_locale_not_interepreted_as_regex(self): + with translation.override("e("): + # Would previously error: + # re.error: missing ), unterminated subpattern at position 1 + reverse("users") + class URLNamespaceTests(URLTestCaseBase): """ |