diff options
author | Florian Apolloner <florian@apolloner.eu> | 2021-11-29 11:52:03 +0100 |
---|---|---|
committer | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2021-12-07 06:28:08 +0100 |
commit | d4dcd5b9dd9e462fec8220e33e3e6c822b7e88a6 (patch) | |
tree | 662b56e783c369cb07b42065c8ff49eac4acd5c0 /tests/urlpatterns | |
parent | 628b6a686974698cbf820bad72f10dad133174ec (diff) | |
download | django-d4dcd5b9dd9e462fec8220e33e3e6c822b7e88a6.tar.gz |
Fixed #30530, CVE-2021-44420 -- Fixed potential bypass of an upstream access control based on URL paths.
Thanks Sjoerd Job Postmus and TengMA(@te3t123) for reports.
Diffstat (limited to 'tests/urlpatterns')
-rw-r--r-- | tests/urlpatterns/tests.py | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/tests/urlpatterns/tests.py b/tests/urlpatterns/tests.py index dca9f63086..cf942fe72b 100644 --- a/tests/urlpatterns/tests.py +++ b/tests/urlpatterns/tests.py @@ -169,6 +169,19 @@ class SimplifiedURLTests(SimpleTestCase): match = p.resolve('space%s/1/' % string.whitespace) self.assertEqual(match.kwargs, {'num': 1}) + def test_path_trailing_newlines(self): + tests = [ + '/articles/2003/\n', + '/articles/2010/\n', + '/en/foo/\n', + '/included_urls/extra/\n', + '/regex/1/\n', + '/users/1/\n', + ] + for url in tests: + with self.subTest(url=url), self.assertRaises(Resolver404): + resolve(url) + @override_settings(ROOT_URLCONF='urlpatterns.converter_urls') class ConverterTests(SimpleTestCase): |