diff options
author | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2021-05-24 09:55:14 +0200 |
---|---|---|
committer | Carlton Gibson <carlton.gibson@noumenal.es> | 2021-06-02 10:44:39 +0200 |
commit | 9f75e2e562fa0c0482f3dde6fc7399a9070b4a3d (patch) | |
tree | 24b1f55302cfd60a9c321ef1c00d70d42c0acd88 /tests | |
parent | dfaba12cda060b8b292ae1d271b44bf810b1c5b9 (diff) | |
download | django-9f75e2e562fa0c0482f3dde6fc7399a9070b4a3d.tar.gz |
[3.2.x] Fixed CVE-2021-33571 -- Prevented leading zeros in IPv4 addresses.
validate_ipv4_address() was affected only on Python < 3.9.5, see [1].
URLValidator() uses a regular expressions and it was affected on all
Python versions.
[1] https://bugs.python.org/issue36384
Diffstat (limited to 'tests')
-rw-r--r-- | tests/validators/invalid_urls.txt | 8 | ||||
-rw-r--r-- | tests/validators/tests.py | 20 | ||||
-rw-r--r-- | tests/validators/valid_urls.txt | 6 |
3 files changed, 34 insertions, 0 deletions
diff --git a/tests/validators/invalid_urls.txt b/tests/validators/invalid_urls.txt index 3a92bbb9b4..86a080bf33 100644 --- a/tests/validators/invalid_urls.txt +++ b/tests/validators/invalid_urls.txt @@ -46,6 +46,14 @@ http://1.1.1.1.1 http://123.123.123 http://3628126748 http://123 +http://000.000.000.000 +http://016.016.016.016 +http://192.168.000.001 +http://01.2.3.4 +http://01.2.3.4 +http://1.02.3.4 +http://1.2.03.4 +http://1.2.3.04 http://.www.foo.bar/ http://.www.foo.bar./ http://[::1:2::3]:8080/ diff --git a/tests/validators/tests.py b/tests/validators/tests.py index 09d5c40ff5..e39d0e3a1c 100644 --- a/tests/validators/tests.py +++ b/tests/validators/tests.py @@ -136,6 +136,16 @@ TEST_DATA = [ (validate_ipv4_address, '1.1.1.1\n', ValidationError), (validate_ipv4_address, '٧.2٥.3٣.243', ValidationError), + # Leading zeros are forbidden to avoid ambiguity with the octal notation. + (validate_ipv4_address, '000.000.000.000', ValidationError), + (validate_ipv4_address, '016.016.016.016', ValidationError), + (validate_ipv4_address, '192.168.000.001', ValidationError), + (validate_ipv4_address, '01.2.3.4', ValidationError), + (validate_ipv4_address, '01.2.3.4', ValidationError), + (validate_ipv4_address, '1.02.3.4', ValidationError), + (validate_ipv4_address, '1.2.03.4', ValidationError), + (validate_ipv4_address, '1.2.3.04', ValidationError), + # validate_ipv6_address uses django.utils.ipv6, which # is tested in much greater detail in its own testcase (validate_ipv6_address, 'fe80::1', None), @@ -161,6 +171,16 @@ TEST_DATA = [ (validate_ipv46_address, '::zzz', ValidationError), (validate_ipv46_address, '12345::', ValidationError), + # Leading zeros are forbidden to avoid ambiguity with the octal notation. + (validate_ipv46_address, '000.000.000.000', ValidationError), + (validate_ipv46_address, '016.016.016.016', ValidationError), + (validate_ipv46_address, '192.168.000.001', ValidationError), + (validate_ipv46_address, '01.2.3.4', ValidationError), + (validate_ipv46_address, '01.2.3.4', ValidationError), + (validate_ipv46_address, '1.02.3.4', ValidationError), + (validate_ipv46_address, '1.2.03.4', ValidationError), + (validate_ipv46_address, '1.2.3.04', ValidationError), + (validate_comma_separated_integer_list, '1', None), (validate_comma_separated_integer_list, '12', None), (validate_comma_separated_integer_list, '1,2', None), diff --git a/tests/validators/valid_urls.txt b/tests/validators/valid_urls.txt index 3f8bf839b0..53fde9df7f 100644 --- a/tests/validators/valid_urls.txt +++ b/tests/validators/valid_urls.txt @@ -71,6 +71,12 @@ http://0.0.0.0/ http://255.255.255.255 http://224.0.0.0 http://224.1.1.1 +http://111.112.113.114/ +http://88.88.88.88/ +http://11.12.13.14/ +http://10.20.30.40/ +http://1.2.3.4/ +http://127.0.01.09.home.lan http://aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.example.com http://example.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.com http://example.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa |