mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-10-24 14:16:09 +00:00
Code Issues 32 Releases Wiki Activity

[1.8.x] Fixed catastrophic backtracking in URLValidator.

Browse Source 
Thanks João Silva for reporting the problem and Tim Graham for finding the
problematic RE and for review.

This is a security fix; disclosure to follow shortly.
This commit is contained in:
Shai Berger
2015-06-30 01:09:21 +03:00
committed by Tim Graham
parent 574dd5e0b0
commit 8f9a4d3a2b
5 changed files with 14 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
tests/validators/invalid_urls.txt
View File

@@ -35,6 +35,8 @@ http://foo.bar/foo(bar)baz quux
http://-error-.invalid/
http://-a.b.co
http://a.b-.co
http://a.-b.co
http://a.b-.c.co
http:/
http://
http://

3
tests/validators/tests.py
View File

@@ -172,6 +172,9 @@ TEST_DATA = [
# Trailing newlines not accepted
(URLValidator(), 'http://www.djangoproject.com/\n', ValidationError),
(URLValidator(), 'http://[::ffff:192.9.5.5]\n', ValidationError),
# Trailing junk does not take forever to reject
(URLValidator(), 'http://www.asdasdasdasdsadfm.com.br ', ValidationError),
(URLValidator(), 'http://www.asdasdasdasdsadfm.com.br z', ValidationError),
(BaseValidator(True), True, None),
(BaseValidator(True), False, ValidationError),

1
tests/validators/valid_urls.txt
View File

@@ -7,6 +7,7 @@ http://www.example.com/
http://www.example.com:8000/test
http://valid-with-hyphens.com/
http://subdomain.example.com/
http://a.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
http://200.8.9.10/
http://200.8.9.10:8000/test
http://su--b.valid-----hyphens.com/