Fixed CVE-2021-33571 -- Prevented leading zeros in IPv4 addresses.

validate_ipv4_address() was affected only on Python < 3.9.5, see [1].
URLValidator() uses a regular expressions and it was affected on all
Python versions.

[1] https://bugs.python.org/issue36384

3 files changed, 34 insertions, 0 deletions

diff --git a/tests/validators/invalid_urls.txt b/tests/validators/invalid_urls.txt
index 3a92bbb9b4..86a080bf33 100644
--- a/tests/validators/invalid_urls.txt
+++ b/tests/validators/invalid_urls.txt
@@ -46,6 +46,14 @@ http://1.1.1.1.1
 http://123.123.123
 http://3628126748
 http://123
+http://000.000.000.000
+http://016.016.016.016
+http://192.168.000.001
+http://01.2.3.4
+http://01.2.3.4
+http://1.02.3.4
+http://1.2.03.4
+http://1.2.3.04
 http://.www.foo.bar/
 http://.www.foo.bar./
 http://[::1:2::3]:8080/
diff --git a/tests/validators/tests.py b/tests/validators/tests.py
index 09d5c40ff5..e39d0e3a1c 100644
--- a/tests/validators/tests.py
+++ b/tests/validators/tests.py
@@ -136,6 +136,16 @@ TEST_DATA = [
     (validate_ipv4_address, '1.1.1.1\n', ValidationError),
     (validate_ipv4_address, '٧.2٥.3٣.243', ValidationError),
 
+    # Leading zeros are forbidden to avoid ambiguity with the octal notation.
+    (validate_ipv4_address, '000.000.000.000', ValidationError),
+    (validate_ipv4_address, '016.016.016.016', ValidationError),
+    (validate_ipv4_address, '192.168.000.001', ValidationError),
+    (validate_ipv4_address, '01.2.3.4', ValidationError),
+    (validate_ipv4_address, '01.2.3.4', ValidationError),
+    (validate_ipv4_address, '1.02.3.4', ValidationError),
+    (validate_ipv4_address, '1.2.03.4', ValidationError),
+    (validate_ipv4_address, '1.2.3.04', ValidationError),
+
     # validate_ipv6_address uses django.utils.ipv6, which
     # is tested in much greater detail in its own testcase
     (validate_ipv6_address, 'fe80::1', None),
@@ -161,6 +171,16 @@ TEST_DATA = [
     (validate_ipv46_address, '::zzz', ValidationError),
     (validate_ipv46_address, '12345::', ValidationError),
 
+    # Leading zeros are forbidden to avoid ambiguity with the octal notation.
+    (validate_ipv46_address, '000.000.000.000', ValidationError),
+    (validate_ipv46_address, '016.016.016.016', ValidationError),
+    (validate_ipv46_address, '192.168.000.001', ValidationError),
+    (validate_ipv46_address, '01.2.3.4', ValidationError),
+    (validate_ipv46_address, '01.2.3.4', ValidationError),
+    (validate_ipv46_address, '1.02.3.4', ValidationError),
+    (validate_ipv46_address, '1.2.03.4', ValidationError),
+    (validate_ipv46_address, '1.2.3.04', ValidationError),
+
     (validate_comma_separated_integer_list, '1', None),
     (validate_comma_separated_integer_list, '12', None),
     (validate_comma_separated_integer_list, '1,2', None),
diff --git a/tests/validators/valid_urls.txt b/tests/validators/valid_urls.txt
index 3f8bf839b0..53fde9df7f 100644
--- a/tests/validators/valid_urls.txt
+++ b/tests/validators/valid_urls.txt
@@ -71,6 +71,12 @@ http://0.0.0.0/
 http://255.255.255.255
 http://224.0.0.0
 http://224.1.1.1
+http://111.112.113.114/
+http://88.88.88.88/
+http://11.12.13.14/
+http://10.20.30.40/
+http://1.2.3.4/
+http://127.0.01.09.home.lan
 http://aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.example.com
 http://example.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.com
 http://example.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa