[4.1.x] Fixed CVE-2022-41323 -- Prevented locales being interpreted as regular expressions.

Thanks to Benjamin Balder Bach for the report.
2025-10-31 09:41:08 +00:00 · 2022-09-02 09:44:05 +01:00
parent 7843c43c49
commit 9d656ea51d
5 changed files with 23 additions and 3 deletions
--- a/django/urls/resolvers.py
+++ b/django/urls/resolvers.py
@@ -346,7 +346,7 @@ class LocalePrefixPattern:
    @property
    def regex(self):
        # This is only used by reverse() and cached in _reverse_dict.
-        return re.compile(self.language_prefix)
+        return re.compile(re.escape(self.language_prefix))

    @property
    def language_prefix(self):